From 303d9bf6bb64ead8e3f1d7e29904a4025502e591 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1aky=20P=C3=A9rez-Gonz=C3=A1lez?= Date: Wed, 23 Jan 2008 13:40:27 -0800 Subject: rfkill: add the WiMAX radio type Teach rfkill about wimax radios. Had to define a KEY_WIMAX as a 'key for disabling only wimax radios', as other radio technologies have. This makes sense as hardware has specific keys for disabling specific radios. The RFKILL enabling part is, otherwise, a copy and paste of any other radio technology. Signed-off-by: Inaky Perez-Gonzalez Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: David S. Miller --- include/linux/input.h | 2 ++ include/linux/rfkill.h | 2 ++ 2 files changed, 4 insertions(+) (limited to 'include') diff --git a/include/linux/input.h b/include/linux/input.h index 2075d6da2a31..056a17a4f34f 100644 --- a/include/linux/input.h +++ b/include/linux/input.h @@ -371,6 +371,8 @@ struct input_absinfo { #define KEY_BRIGHTNESS_ZERO 244 /* brightness off, use ambient */ #define KEY_DISPLAY_OFF 245 /* display device to off state */ +#define KEY_WIMAX 246 + #define BTN_MISC 0x100 #define BTN_0 0x100 #define BTN_1 0x101 diff --git a/include/linux/rfkill.h b/include/linux/rfkill.h index 0ce5e0b52dbd..e3ab21d7fc7f 100644 --- a/include/linux/rfkill.h +++ b/include/linux/rfkill.h @@ -33,11 +33,13 @@ * RFKILL_TYPE_WLAN: switch is on a 802.11 wireless network device. * RFKILL_TYPE_BLUETOOTH: switch is on a bluetooth device. * RFKILL_TYPE_UWB: switch is on a ultra wideband device. + * RFKILL_TYPE_WIMAX: switch is on a WiMAX device. */ enum rfkill_type { RFKILL_TYPE_WLAN , RFKILL_TYPE_BLUETOOTH, RFKILL_TYPE_UWB, + RFKILL_TYPE_WIMAX, RFKILL_TYPE_MAX, }; -- cgit v1.2.2 From 3692e94f1559523b84a5a0e65929ee84b276e83f Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Sat, 26 Jan 2008 00:51:45 +0200 Subject: Move usbnet.h and rndis_host.h to include/linux/usb Move headers usbnet.h and rndis_host.h to include/linux/usb and fix includes for drivers/net/usb modules. Headers are moved because rndis_wlan will be outside drivers/net/usb in drivers/net/wireless and yet need these headers. Signed-off-by: Jussi Kivilinna Acked-by: David Brownell Signed-off-by: John W. Linville Signed-off-by: David S. Miller --- include/linux/usb/rndis_host.h | 274 +++++++++++++++++++++++++++++++++++++++++ include/linux/usb/usbnet.h | 214 ++++++++++++++++++++++++++++++++ 2 files changed, 488 insertions(+) create mode 100644 include/linux/usb/rndis_host.h create mode 100644 include/linux/usb/usbnet.h (limited to 'include') diff --git a/include/linux/usb/rndis_host.h b/include/linux/usb/rndis_host.h new file mode 100644 index 000000000000..edc1d4a0e272 --- /dev/null +++ b/include/linux/usb/rndis_host.h @@ -0,0 +1,274 @@ +/* + * Host Side support for RNDIS Networking Links + * Copyright (C) 2005 by David Brownell + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef __RNDIS_HOST_H +#define __RNDIS_HOST_H + + +/* + * CONTROL uses CDC "encapsulated commands" with funky notifications. + * - control-out: SEND_ENCAPSULATED + * - interrupt-in: RESPONSE_AVAILABLE + * - control-in: GET_ENCAPSULATED + * + * We'll try to ignore the RESPONSE_AVAILABLE notifications. + * + * REVISIT some RNDIS implementations seem to have curious issues still + * to be resolved. + */ +struct rndis_msg_hdr { + __le32 msg_type; /* RNDIS_MSG_* */ + __le32 msg_len; + // followed by data that varies between messages + __le32 request_id; + __le32 status; + // ... and more +} __attribute__ ((packed)); + +/* MS-Windows uses this strange size, but RNDIS spec says 1024 minimum */ +#define CONTROL_BUFFER_SIZE 1025 + +/* RNDIS defines an (absurdly huge) 10 second control timeout, + * but ActiveSync seems to use a more usual 5 second timeout + * (which matches the USB 2.0 spec). + */ +#define RNDIS_CONTROL_TIMEOUT_MS (5 * 1000) + + +#define ccpu2 __constant_cpu_to_le32 + +#define RNDIS_MSG_COMPLETION ccpu2(0x80000000) + +/* codes for "msg_type" field of rndis messages; + * only the data channel uses packet messages (maybe batched); + * everything else goes on the control channel. + */ +#define RNDIS_MSG_PACKET ccpu2(0x00000001) /* 1-N packets */ +#define RNDIS_MSG_INIT ccpu2(0x00000002) +#define RNDIS_MSG_INIT_C (RNDIS_MSG_INIT|RNDIS_MSG_COMPLETION) +#define RNDIS_MSG_HALT ccpu2(0x00000003) +#define RNDIS_MSG_QUERY ccpu2(0x00000004) +#define RNDIS_MSG_QUERY_C (RNDIS_MSG_QUERY|RNDIS_MSG_COMPLETION) +#define RNDIS_MSG_SET ccpu2(0x00000005) +#define RNDIS_MSG_SET_C (RNDIS_MSG_SET|RNDIS_MSG_COMPLETION) +#define RNDIS_MSG_RESET ccpu2(0x00000006) +#define RNDIS_MSG_RESET_C (RNDIS_MSG_RESET|RNDIS_MSG_COMPLETION) +#define RNDIS_MSG_INDICATE ccpu2(0x00000007) +#define RNDIS_MSG_KEEPALIVE ccpu2(0x00000008) +#define RNDIS_MSG_KEEPALIVE_C (RNDIS_MSG_KEEPALIVE|RNDIS_MSG_COMPLETION) + +/* codes for "status" field of completion messages */ +#define RNDIS_STATUS_SUCCESS ccpu2(0x00000000) +#define RNDIS_STATUS_FAILURE ccpu2(0xc0000001) +#define RNDIS_STATUS_INVALID_DATA ccpu2(0xc0010015) +#define RNDIS_STATUS_NOT_SUPPORTED ccpu2(0xc00000bb) +#define RNDIS_STATUS_MEDIA_CONNECT ccpu2(0x4001000b) +#define RNDIS_STATUS_MEDIA_DISCONNECT ccpu2(0x4001000c) + +/* codes for OID_GEN_PHYSICAL_MEDIUM */ +#define RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED ccpu2(0x00000000) +#define RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN ccpu2(0x00000001) +#define RNDIS_PHYSICAL_MEDIUM_CABLE_MODEM ccpu2(0x00000002) +#define RNDIS_PHYSICAL_MEDIUM_PHONE_LINE ccpu2(0x00000003) +#define RNDIS_PHYSICAL_MEDIUM_POWER_LINE ccpu2(0x00000004) +#define RNDIS_PHYSICAL_MEDIUM_DSL ccpu2(0x00000005) +#define RNDIS_PHYSICAL_MEDIUM_FIBRE_CHANNEL ccpu2(0x00000006) +#define RNDIS_PHYSICAL_MEDIUM_1394 ccpu2(0x00000007) +#define RNDIS_PHYSICAL_MEDIUM_WIRELESS_WAN ccpu2(0x00000008) +#define RNDIS_PHYSICAL_MEDIUM_MAX ccpu2(0x00000009) + +struct rndis_data_hdr { + __le32 msg_type; /* RNDIS_MSG_PACKET */ + __le32 msg_len; // rndis_data_hdr + data_len + pad + __le32 data_offset; // 36 -- right after header + __le32 data_len; // ... real packet size + + __le32 oob_data_offset; // zero + __le32 oob_data_len; // zero + __le32 num_oob; // zero + __le32 packet_data_offset; // zero + + __le32 packet_data_len; // zero + __le32 vc_handle; // zero + __le32 reserved; // zero +} __attribute__ ((packed)); + +struct rndis_init { /* OUT */ + // header and: + __le32 msg_type; /* RNDIS_MSG_INIT */ + __le32 msg_len; // 24 + __le32 request_id; + __le32 major_version; // of rndis (1.0) + __le32 minor_version; + __le32 max_transfer_size; +} __attribute__ ((packed)); + +struct rndis_init_c { /* IN */ + // header and: + __le32 msg_type; /* RNDIS_MSG_INIT_C */ + __le32 msg_len; + __le32 request_id; + __le32 status; + __le32 major_version; // of rndis (1.0) + __le32 minor_version; + __le32 device_flags; + __le32 medium; // zero == 802.3 + __le32 max_packets_per_message; + __le32 max_transfer_size; + __le32 packet_alignment; // max 7; (1< + * Copyright (C) 2003-2005 David Hollis + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef __USBNET_H +#define __USBNET_H + + +/* interface from usbnet core to each USB networking link we handle */ +struct usbnet { + /* housekeeping */ + struct usb_device *udev; + struct usb_interface *intf; + struct driver_info *driver_info; + const char *driver_name; + void *driver_priv; + wait_queue_head_t *wait; + struct mutex phy_mutex; + unsigned char suspend_count; + + /* i/o info: pipes etc */ + unsigned in, out; + struct usb_host_endpoint *status; + unsigned maxpacket; + struct timer_list delay; + + /* protocol/interface state */ + struct net_device *net; + struct net_device_stats stats; + int msg_enable; + unsigned long data [5]; + u32 xid; + u32 hard_mtu; /* count any extra framing */ + size_t rx_urb_size; /* size for rx urbs */ + struct mii_if_info mii; + + /* various kinds of pending driver work */ + struct sk_buff_head rxq; + struct sk_buff_head txq; + struct sk_buff_head done; + struct urb *interrupt; + struct tasklet_struct bh; + + struct work_struct kevent; + unsigned long flags; +# define EVENT_TX_HALT 0 +# define EVENT_RX_HALT 1 +# define EVENT_RX_MEMORY 2 +# define EVENT_STS_SPLIT 3 +# define EVENT_LINK_RESET 4 +}; + +static inline struct usb_driver *driver_of(struct usb_interface *intf) +{ + return to_usb_driver(intf->dev.driver); +} + +/* interface from the device/framing level "minidriver" to core */ +struct driver_info { + char *description; + + int flags; +/* framing is CDC Ethernet, not writing ZLPs (hw issues), or optionally: */ +#define FLAG_FRAMING_NC 0x0001 /* guard against device dropouts */ +#define FLAG_FRAMING_GL 0x0002 /* genelink batches packets */ +#define FLAG_FRAMING_Z 0x0004 /* zaurus adds a trailer */ +#define FLAG_FRAMING_RN 0x0008 /* RNDIS batches, plus huge header */ + +#define FLAG_NO_SETINT 0x0010 /* device can't set_interface() */ +#define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */ + +#define FLAG_FRAMING_AX 0x0040 /* AX88772/178 packets */ +#define FLAG_WLAN 0x0080 /* use "wlan%d" names */ + + + /* init device ... can sleep, or cause probe() failure */ + int (*bind)(struct usbnet *, struct usb_interface *); + + /* cleanup device ... can sleep, but can't fail */ + void (*unbind)(struct usbnet *, struct usb_interface *); + + /* reset device ... can sleep */ + int (*reset)(struct usbnet *); + + /* see if peer is connected ... can sleep */ + int (*check_connect)(struct usbnet *); + + /* for status polling */ + void (*status)(struct usbnet *, struct urb *); + + /* link reset handling, called from defer_kevent */ + int (*link_reset)(struct usbnet *); + + /* fixup rx packet (strip framing) */ + int (*rx_fixup)(struct usbnet *dev, struct sk_buff *skb); + + /* fixup tx packet (add framing) */ + struct sk_buff *(*tx_fixup)(struct usbnet *dev, + struct sk_buff *skb, gfp_t flags); + + /* early initialization code, can sleep. This is for minidrivers + * having 'subminidrivers' that need to do extra initialization + * right after minidriver have initialized hardware. */ + int (*early_init)(struct usbnet *dev); + + /* called by minidriver when link state changes, state: 0=disconnect, + * 1=connect */ + void (*link_change)(struct usbnet *dev, int state); + + /* for new devices, use the descriptor-reading code instead */ + int in; /* rx endpoint */ + int out; /* tx endpoint */ + + unsigned long data; /* Misc driver specific data */ +}; + +/* Minidrivers are just drivers using the "usbnet" core as a powerful + * network-specific subroutine library ... that happens to do pretty + * much everything except custom framing and chip-specific stuff. + */ +extern int usbnet_probe(struct usb_interface *, const struct usb_device_id *); +extern int usbnet_suspend (struct usb_interface *, pm_message_t ); +extern int usbnet_resume (struct usb_interface *); +extern void usbnet_disconnect(struct usb_interface *); + + +/* Drivers that reuse some of the standard USB CDC infrastructure + * (notably, using multiple interfaces according to the CDC + * union descriptor) get some helper code. + */ +struct cdc_state { + struct usb_cdc_header_desc *header; + struct usb_cdc_union_desc *u; + struct usb_cdc_ether_desc *ether; + struct usb_interface *control; + struct usb_interface *data; +}; + +extern int usbnet_generic_cdc_bind (struct usbnet *, struct usb_interface *); +extern void usbnet_cdc_unbind (struct usbnet *, struct usb_interface *); + +/* CDC and RNDIS support the same host-chosen packet filters for IN transfers */ +#define DEFAULT_FILTER (USB_CDC_PACKET_TYPE_BROADCAST \ + |USB_CDC_PACKET_TYPE_ALL_MULTICAST \ + |USB_CDC_PACKET_TYPE_PROMISCUOUS \ + |USB_CDC_PACKET_TYPE_DIRECTED) + + +/* we record the state for each of our queued skbs */ +enum skb_state { + illegal = 0, + tx_start, tx_done, + rx_start, rx_done, rx_cleanup +}; + +struct skb_data { /* skb->cb is one of these */ + struct urb *urb; + struct usbnet *dev; + enum skb_state state; + size_t length; +}; + + +extern int usbnet_get_endpoints(struct usbnet *, struct usb_interface *); +extern void usbnet_defer_kevent (struct usbnet *, int); +extern void usbnet_skb_return (struct usbnet *, struct sk_buff *); +extern void usbnet_unlink_rx_urbs(struct usbnet *); + +extern int usbnet_get_settings (struct net_device *net, struct ethtool_cmd *cmd); +extern int usbnet_set_settings (struct net_device *net, struct ethtool_cmd *cmd); +extern u32 usbnet_get_link (struct net_device *net); +extern u32 usbnet_get_msglevel (struct net_device *); +extern void usbnet_set_msglevel (struct net_device *, u32); +extern void usbnet_get_drvinfo (struct net_device *, struct ethtool_drvinfo *); +extern int usbnet_nway_reset(struct net_device *net); + +/* messaging support includes the interface name, so it must not be + * used before it has one ... notably, in minidriver bind() calls. + */ +#ifdef DEBUG +#define devdbg(usbnet, fmt, arg...) \ + printk(KERN_DEBUG "%s: " fmt "\n" , (usbnet)->net->name , ## arg) +#else +#define devdbg(usbnet, fmt, arg...) do {} while(0) +#endif + +#define deverr(usbnet, fmt, arg...) \ + printk(KERN_ERR "%s: " fmt "\n" , (usbnet)->net->name , ## arg) +#define devwarn(usbnet, fmt, arg...) \ + printk(KERN_WARNING "%s: " fmt "\n" , (usbnet)->net->name , ## arg) + +#define devinfo(usbnet, fmt, arg...) \ + printk(KERN_INFO "%s: " fmt "\n" , (usbnet)->net->name , ## arg); \ + + +#endif /* __USBNET_H */ -- cgit v1.2.2 From 38320c70d282be1997a5204c7c7fe14c3aa6bfaa Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 28 Jan 2008 19:35:05 -0800 Subject: [IPSEC]: Use crypto_aead and authenc in ESP This patch converts ESP to use the crypto_aead interface and in particular the authenc algorithm. This lays the foundations for future support of combined mode algorithms. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/esp.h | 54 ++++++++---------------------------------------------- 1 file changed, 8 insertions(+), 46 deletions(-) (limited to 'include') diff --git a/include/net/esp.h b/include/net/esp.h index c05f529bff28..d58451331dbd 100644 --- a/include/net/esp.h +++ b/include/net/esp.h @@ -1,58 +1,20 @@ #ifndef _NET_ESP_H #define _NET_ESP_H -#include -#include -#include +#include -#define ESP_NUM_FAST_SG 4 +struct crypto_aead; -struct esp_data -{ - struct scatterlist sgbuf[ESP_NUM_FAST_SG]; - - /* Confidentiality */ - struct { - int padlen; /* 0..255 */ - /* ivlen is offset from enc_data, where encrypted data start. - * It is logically different of crypto_tfm_alg_ivsize(tfm). - * We assume that it is either zero (no ivec), or - * >= crypto_tfm_alg_ivsize(tfm). */ - int ivlen; - int ivinitted; - u8 *ivec; /* ivec buffer */ - struct crypto_blkcipher *tfm; /* crypto handle */ - } conf; - - /* Integrity. It is active when icv_full_len != 0 */ - struct { - u8 *work_icv; - int icv_full_len; - int icv_trunc_len; - struct crypto_hash *tfm; - } auth; +struct esp_data { + /* 0..255 */ + int padlen; + + /* Confidentiality & Integrity */ + struct crypto_aead *aead; }; extern void *pskb_put(struct sk_buff *skb, struct sk_buff *tail, int len); -static inline int esp_mac_digest(struct esp_data *esp, struct sk_buff *skb, - int offset, int len) -{ - struct hash_desc desc; - int err; - - desc.tfm = esp->auth.tfm; - desc.flags = 0; - - err = crypto_hash_init(&desc); - if (unlikely(err)) - return err; - err = skb_icv_walk(skb, &desc, offset, len, crypto_hash_update); - if (unlikely(err)) - return err; - return crypto_hash_final(&desc, esp->auth.work_icv); -} - struct ip_esp_hdr; static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) -- cgit v1.2.2 From 1a6509d991225ad210de54c63314fd9542922095 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 28 Jan 2008 19:37:29 -0800 Subject: [IPSEC]: Add support for combined mode algorithms This patch adds support for combined mode algorithms with GCM being the first algorithm supported. Combined mode algorithms can be added through the xfrm_user interface using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms is identified by its name and the ICV length. For the purposes of matching algorithms in xfrm_tmpl structures, combined mode algorithms occupy the same name space as encryption algorithms. This is in line with how they are negotiated using IKE. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/linux/pfkeyv2.h | 6 ++++++ include/linux/xfrm.h | 8 ++++++++ include/net/xfrm.h | 8 ++++++++ 3 files changed, 22 insertions(+) (limited to 'include') diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h index d9db5f62ee48..6db69ff5d83e 100644 --- a/include/linux/pfkeyv2.h +++ b/include/linux/pfkeyv2.h @@ -298,6 +298,12 @@ struct sadb_x_sec_ctx { #define SADB_X_EALG_BLOWFISHCBC 7 #define SADB_EALG_NULL 11 #define SADB_X_EALG_AESCBC 12 +#define SADB_X_EALG_AES_CCM_ICV8 14 +#define SADB_X_EALG_AES_CCM_ICV12 15 +#define SADB_X_EALG_AES_CCM_ICV16 16 +#define SADB_X_EALG_AES_GCM_ICV8 18 +#define SADB_X_EALG_AES_GCM_ICV12 19 +#define SADB_X_EALG_AES_GCM_ICV16 20 #define SADB_X_EALG_CAMELLIACBC 22 #define SADB_EALG_MAX 253 /* last EALG */ /* private allocations should use 249-255 (RFC2407) */ diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index 9b5b00c4ef9d..e31b8c84f2c9 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -96,6 +96,13 @@ struct xfrm_algo { char alg_key[0]; }; +struct xfrm_algo_aead { + char alg_name[64]; + int alg_key_len; /* in bits */ + int alg_icv_len; /* in bits */ + char alg_key[0]; +}; + struct xfrm_stats { __u32 replay_window; __u32 replay; @@ -270,6 +277,7 @@ enum xfrm_attr_type_t { XFRMA_LASTUSED, XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ XFRMA_MIGRATE, + XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 5ebb9ba479b1..34d373775a0e 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -159,6 +159,7 @@ struct xfrm_state struct xfrm_algo *aalg; struct xfrm_algo *ealg; struct xfrm_algo *calg; + struct xfrm_algo_aead *aead; /* Data for encapsulator */ struct xfrm_encap_tmpl *encap; @@ -1108,6 +1109,10 @@ static inline int xfrm_id_proto_match(u8 proto, u8 userproto) /* * xfrm algorithm information */ +struct xfrm_algo_aead_info { + u16 icv_truncbits; +}; + struct xfrm_algo_auth_info { u16 icv_truncbits; u16 icv_fullbits; @@ -1127,6 +1132,7 @@ struct xfrm_algo_desc { char *compat; u8 available:1; union { + struct xfrm_algo_aead_info aead; struct xfrm_algo_auth_info auth; struct xfrm_algo_encr_info encr; struct xfrm_algo_comp_info comp; @@ -1343,6 +1349,8 @@ extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe); extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe); extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe); +extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len, + int probe); struct hash_desc; struct scatterlist; -- cgit v1.2.2 From 4a19ec5800fc3bb64e2d87c4d9fdd9e636086fe0 Mon Sep 17 00:00:00 2001 From: Laszlo Attila Toth Date: Wed, 30 Jan 2008 19:08:16 -0800 Subject: [NET]: Introducing socket mark socket option. A userspace program may wish to set the mark for each packets its send without using the netfilter MARK target. Changing the mark can be used for mark based routing without netfilter or for packet filtering. It requires CAP_NET_ADMIN capability. Signed-off-by: Laszlo Attila Toth Acked-by: Patrick McHardy Signed-off-by: David S. Miller --- include/asm-alpha/socket.h | 2 ++ include/asm-arm/socket.h | 2 ++ include/asm-avr32/socket.h | 2 ++ include/asm-blackfin/socket.h | 3 +++ include/asm-cris/socket.h | 2 ++ include/asm-frv/socket.h | 2 ++ include/asm-h8300/socket.h | 2 ++ include/asm-ia64/socket.h | 2 ++ include/asm-m32r/socket.h | 2 ++ include/asm-m68k/socket.h | 2 ++ include/asm-mips/socket.h | 2 ++ include/asm-parisc/socket.h | 2 ++ include/asm-powerpc/socket.h | 2 ++ include/asm-s390/socket.h | 2 ++ include/asm-sh/socket.h | 2 ++ include/asm-sparc/socket.h | 2 ++ include/asm-sparc64/socket.h | 1 + include/asm-v850/socket.h | 2 ++ include/asm-x86/socket.h | 2 ++ include/asm-xtensa/socket.h | 2 ++ include/net/route.h | 2 ++ include/net/sock.h | 2 ++ 22 files changed, 44 insertions(+) (limited to 'include') diff --git a/include/asm-alpha/socket.h b/include/asm-alpha/socket.h index 1fede7f92860..08c979319929 100644 --- a/include/asm-alpha/socket.h +++ b/include/asm-alpha/socket.h @@ -60,4 +60,6 @@ #define SO_SECURITY_ENCRYPTION_TRANSPORT 20 #define SO_SECURITY_ENCRYPTION_NETWORK 21 +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-arm/socket.h b/include/asm-arm/socket.h index 65a1a64bf934..6817be9573a6 100644 --- a/include/asm-arm/socket.h +++ b/include/asm-arm/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-avr32/socket.h b/include/asm-avr32/socket.h index a0d0507a5034..35863f260929 100644 --- a/include/asm-avr32/socket.h +++ b/include/asm-avr32/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* __ASM_AVR32_SOCKET_H */ diff --git a/include/asm-blackfin/socket.h b/include/asm-blackfin/socket.h index 5213c9652186..2ca702e44d47 100644 --- a/include/asm-blackfin/socket.h +++ b/include/asm-blackfin/socket.h @@ -50,4 +50,7 @@ #define SO_PASSSEC 34 #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS + +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-cris/socket.h b/include/asm-cris/socket.h index 5b18dfdf1748..9df0ca82f5de 100644 --- a/include/asm-cris/socket.h +++ b/include/asm-cris/socket.h @@ -54,6 +54,8 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-frv/socket.h b/include/asm-frv/socket.h index a823befd11dd..e51ca67b9356 100644 --- a/include/asm-frv/socket.h +++ b/include/asm-frv/socket.h @@ -52,5 +52,7 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-h8300/socket.h b/include/asm-h8300/socket.h index 39911d8c9684..da2520dbf254 100644 --- a/include/asm-h8300/socket.h +++ b/include/asm-h8300/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-ia64/socket.h b/include/asm-ia64/socket.h index 9e42ce43cfbe..d5ef0aa3e312 100644 --- a/include/asm-ia64/socket.h +++ b/include/asm-ia64/socket.h @@ -61,4 +61,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_IA64_SOCKET_H */ diff --git a/include/asm-m32r/socket.h b/include/asm-m32r/socket.h index 793d5d30c850..9a0e20012224 100644 --- a/include/asm-m32r/socket.h +++ b/include/asm-m32r/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_M32R_SOCKET_H */ diff --git a/include/asm-m68k/socket.h b/include/asm-m68k/socket.h index 6d21b90863ad..dbc64e92c41a 100644 --- a/include/asm-m68k/socket.h +++ b/include/asm-m68k/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-mips/socket.h b/include/asm-mips/socket.h index 95945689b1c6..63f60254d308 100644 --- a/include/asm-mips/socket.h +++ b/include/asm-mips/socket.h @@ -73,6 +73,8 @@ To add: #define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #ifdef __KERNEL__ /** sock_type - Socket types diff --git a/include/asm-parisc/socket.h b/include/asm-parisc/socket.h index 99e868f6a8f5..69a7a0d30b02 100644 --- a/include/asm-parisc/socket.h +++ b/include/asm-parisc/socket.h @@ -52,4 +52,6 @@ #define SO_PEERSEC 0x401d #define SO_PASSSEC 0x401e +#define SO_MARK 0x401f + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-powerpc/socket.h b/include/asm-powerpc/socket.h index 403e9fde2eb5..f5a4e168e498 100644 --- a/include/asm-powerpc/socket.h +++ b/include/asm-powerpc/socket.h @@ -59,4 +59,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_POWERPC_SOCKET_H */ diff --git a/include/asm-s390/socket.h b/include/asm-s390/socket.h index 1161ebe3dec9..c786ab623b2d 100644 --- a/include/asm-s390/socket.h +++ b/include/asm-s390/socket.h @@ -60,4 +60,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-sh/socket.h b/include/asm-sh/socket.h index c48d6fc9da38..6d4bf6512959 100644 --- a/include/asm-sh/socket.h +++ b/include/asm-sh/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* __ASM_SH_SOCKET_H */ diff --git a/include/asm-sparc/socket.h b/include/asm-sparc/socket.h index 7c1423997cf0..2e2bd0b7c8e3 100644 --- a/include/asm-sparc/socket.h +++ b/include/asm-sparc/socket.h @@ -52,6 +52,8 @@ #define SO_TIMESTAMPNS 0x0021 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 0x0022 + /* Security levels - as per NRL IPv6 - don't actually do anything */ #define SO_SECURITY_AUTHENTICATION 0x5001 #define SO_SECURITY_ENCRYPTION_TRANSPORT 0x5002 diff --git a/include/asm-sparc64/socket.h b/include/asm-sparc64/socket.h index 986441dcb8f0..44a625af6e31 100644 --- a/include/asm-sparc64/socket.h +++ b/include/asm-sparc64/socket.h @@ -57,4 +57,5 @@ #define SO_SECURITY_ENCRYPTION_TRANSPORT 0x5002 #define SO_SECURITY_ENCRYPTION_NETWORK 0x5004 +#define SO_MARK 0x0022 #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-v850/socket.h b/include/asm-v850/socket.h index a4c2493b025f..e199a2bf12aa 100644 --- a/include/asm-v850/socket.h +++ b/include/asm-v850/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* __V850_SOCKET_H__ */ diff --git a/include/asm-x86/socket.h b/include/asm-x86/socket.h index 99ca648b94c5..80af9c4ccad7 100644 --- a/include/asm-x86/socket.h +++ b/include/asm-x86/socket.h @@ -52,4 +52,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _ASM_SOCKET_H */ diff --git a/include/asm-xtensa/socket.h b/include/asm-xtensa/socket.h index 1f5aeacb9da2..6100682b1da2 100644 --- a/include/asm-xtensa/socket.h +++ b/include/asm-xtensa/socket.h @@ -63,4 +63,6 @@ #define SO_TIMESTAMPNS 35 #define SCM_TIMESTAMPNS SO_TIMESTAMPNS +#define SO_MARK 36 + #endif /* _XTENSA_SOCKET_H */ diff --git a/include/net/route.h b/include/net/route.h index 4eabf008413b..fcc6d5b35863 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -149,6 +150,7 @@ static inline int ip_route_connect(struct rtable **rp, __be32 dst, int flags) { struct flowi fl = { .oif = oif, + .mark = sk->sk_mark, .nl_u = { .ip4_u = { .daddr = dst, .saddr = src, .tos = tos } }, diff --git a/include/net/sock.h b/include/net/sock.h index 902324488d0f..e3fb4c047f4c 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -262,6 +262,8 @@ struct sock { __u32 sk_sndmsg_off; int sk_write_pending; void *sk_security; + __u32 sk_mark; + /* XXX 4 bytes hole on 64 bit */ void (*sk_state_change)(struct sock *sk); void (*sk_data_ready)(struct sock *sk, int bytes); void (*sk_write_space)(struct sock *sk); -- cgit v1.2.2 From 533cb5b0a63f28ecab5503cfceb77e641fa7f7c4 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 30 Jan 2008 19:11:50 -0800 Subject: [XFRM]: constify 'struct xfrm_type' Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- include/net/xfrm.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 34d373775a0e..ac72116636ca 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -202,7 +202,7 @@ struct xfrm_state /* Reference to data common to all the instances of this * transformer. */ - struct xfrm_type *type; + const struct xfrm_type *type; struct xfrm_mode *inner_mode; struct xfrm_mode *outer_mode; @@ -279,7 +279,7 @@ struct xfrm_state_afinfo { unsigned int proto; unsigned int eth_proto; struct module *owner; - struct xfrm_type *type_map[IPPROTO_MAX]; + const struct xfrm_type *type_map[IPPROTO_MAX]; struct xfrm_mode *mode_map[XFRM_MODE_MAX]; int (*init_flags)(struct xfrm_state *x); void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl, @@ -322,8 +322,8 @@ struct xfrm_type u32 (*get_mtu)(struct xfrm_state *, int size); }; -extern int xfrm_register_type(struct xfrm_type *type, unsigned short family); -extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family); +extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family); +extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family); struct xfrm_mode { /* -- cgit v1.2.2 From 377cf82d66ea43f3d3cb82c2563e65b5c12c9bfd Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 31 Jan 2008 03:46:12 -0800 Subject: [RAW]: Family check in the /proc/net/raw[6] is extra. Different hashtables are used for IPv6 and IPv4 raw sockets, so no need to check the socket family in the iterator over hashtables. Clean this out. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/raw.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'include') diff --git a/include/net/raw.h b/include/net/raw.h index cca81d8b2d8b..c7ea7a2aca86 100644 --- a/include/net/raw.h +++ b/include/net/raw.h @@ -41,7 +41,6 @@ extern void raw_proc_exit(void); struct raw_iter_state { struct seq_net_private p; int bucket; - unsigned short family; struct raw_hashinfo *h; }; @@ -49,8 +48,7 @@ struct raw_iter_state { void *raw_seq_start(struct seq_file *seq, loff_t *pos); void *raw_seq_next(struct seq_file *seq, void *v, loff_t *pos); void raw_seq_stop(struct seq_file *seq, void *v); -int raw_seq_open(struct inode *ino, struct file *file, struct raw_hashinfo *h, - unsigned short family); +int raw_seq_open(struct inode *ino, struct file *file, struct raw_hashinfo *h); #endif -- cgit v1.2.2 From 3046d76746311ac7ff0cdc3ec42db15730528dbf Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 31 Jan 2008 03:48:55 -0800 Subject: [RAW]: Wrong content of the /proc/net/raw6. The address of IPv6 raw sockets was shown in the wrong format, from IPv4 ones. The problem has been introduced by the commit 42a73808ed4f30b739eb52bcbb33a02fe62ceef5 ("[RAW]: Consolidate proc interface.") Thanks to Adrian Bunk who originally noticed the problem. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/raw.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/raw.h b/include/net/raw.h index c7ea7a2aca86..1828f81fe374 100644 --- a/include/net/raw.h +++ b/include/net/raw.h @@ -48,7 +48,8 @@ struct raw_iter_state { void *raw_seq_start(struct seq_file *seq, loff_t *pos); void *raw_seq_next(struct seq_file *seq, void *v, loff_t *pos); void raw_seq_stop(struct seq_file *seq, void *v); -int raw_seq_open(struct inode *ino, struct file *file, struct raw_hashinfo *h); +int raw_seq_open(struct inode *ino, struct file *file, + struct raw_hashinfo *h, const struct seq_operations *ops); #endif -- cgit v1.2.2 From ecb6f85e11627a0fb26a7e2db0d3603c0d602937 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 03:54:47 -0800 Subject: [NETFILTER]: Use const in struct xt_match, xt_target, xt_table Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/x_tables.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index b99ede51318a..90dc6ea2a683 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -214,7 +214,7 @@ struct xt_match /* Free to use by each match */ unsigned long data; - char *table; + const char *table; unsigned int matchsize; unsigned int compatsize; unsigned int hooks; @@ -261,7 +261,7 @@ struct xt_target /* Set this to THIS_MODULE if you are a module, otherwise NULL */ struct module *me; - char *table; + const char *table; unsigned int targetsize; unsigned int compatsize; unsigned int hooks; @@ -277,7 +277,7 @@ struct xt_table struct list_head list; /* A unique name... */ - char name[XT_TABLE_MAXNAMELEN]; + const char name[XT_TABLE_MAXNAMELEN]; /* What hooks you will enter on */ unsigned int valid_hooks; -- cgit v1.2.2 From 2fd8e526f44beaf439f351b310648b559e62a7cb Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 03:56:35 -0800 Subject: [NETFILTER]: bridge netfilter: remove nf_bridge_info read-only netoutdev member Before the removal of the deferred output hooks, netoutdev was used in case of VLANs on top of a bridge to store the VLAN device, so the deferred hooks would see the correct output device. This isn't necessary anymore since we're calling the output hooks for the correct device directly in the IP stack. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/skbuff.h | 3 --- 1 file changed, 3 deletions(-) (limited to 'include') diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index c618fbf7d173..dfe975a9967e 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -108,9 +108,6 @@ struct nf_bridge_info { atomic_t use; struct net_device *physindev; struct net_device *physoutdev; -#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) - struct net_device *netoutdev; -#endif unsigned int mask; unsigned long data[32 / sizeof(unsigned long)]; }; -- cgit v1.2.2 From c82a5cb8b2b2ce15f1fb8add6772921b72da5943 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 03:57:36 -0800 Subject: linux/types.h: Use __u64 for aligned_u64 Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/types.h b/include/linux/types.h index f4f8d19158e4..b94c0e4efe24 100644 --- a/include/linux/types.h +++ b/include/linux/types.h @@ -126,7 +126,7 @@ typedef __s64 int64_t; #endif /* this is a special 64bit data type that is 8-byte aligned */ -#define aligned_u64 unsigned long long __attribute__((aligned(8))) +#define aligned_u64 __u64 __attribute__((aligned(8))) #define aligned_be64 __be64 __attribute__((aligned(8))) #define aligned_le64 __le64 __attribute__((aligned(8))) -- cgit v1.2.2 From b41649989c9640e54e47001994b7ecb927ea1822 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 03:58:24 -0800 Subject: [NETFILTER]: xt_conntrack: add port and direction matching Extend the xt_conntrack match revision 1 by port matching (all four {orig,repl}{src,dst}) and by packet direction matching. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/xt_conntrack.h | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h index d2492a3329be..f3fd83e46bab 100644 --- a/include/linux/netfilter/xt_conntrack.h +++ b/include/linux/netfilter/xt_conntrack.h @@ -6,9 +6,6 @@ #define _XT_CONNTRACK_H #include -#ifdef __KERNEL__ -# include -#endif #define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) #define XT_CONNTRACK_STATE_INVALID (1 << 0) @@ -18,14 +15,21 @@ #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) /* flags, invflags: */ -#define XT_CONNTRACK_STATE 0x01 -#define XT_CONNTRACK_PROTO 0x02 -#define XT_CONNTRACK_ORIGSRC 0x04 -#define XT_CONNTRACK_ORIGDST 0x08 -#define XT_CONNTRACK_REPLSRC 0x10 -#define XT_CONNTRACK_REPLDST 0x20 -#define XT_CONNTRACK_STATUS 0x40 -#define XT_CONNTRACK_EXPIRES 0x80 +enum { + XT_CONNTRACK_STATE = 1 << 0, + XT_CONNTRACK_PROTO = 1 << 1, + XT_CONNTRACK_ORIGSRC = 1 << 2, + XT_CONNTRACK_ORIGDST = 1 << 3, + XT_CONNTRACK_REPLSRC = 1 << 4, + XT_CONNTRACK_REPLDST = 1 << 5, + XT_CONNTRACK_STATUS = 1 << 6, + XT_CONNTRACK_EXPIRES = 1 << 7, + XT_CONNTRACK_ORIGSRC_PORT = 1 << 8, + XT_CONNTRACK_ORIGDST_PORT = 1 << 9, + XT_CONNTRACK_REPLSRC_PORT = 1 << 10, + XT_CONNTRACK_REPLDST_PORT = 1 << 11, + XT_CONNTRACK_DIRECTION = 1 << 12, +}; /* This is exposed to userspace, so remains frozen in time. */ struct ip_conntrack_old_tuple @@ -70,8 +74,10 @@ struct xt_conntrack_mtinfo1 { union nf_inet_addr repldst_addr, repldst_mask; u_int32_t expires_min, expires_max; u_int16_t l4proto; + __be16 origsrc_port, origdst_port; + __be16 replsrc_port, repldst_port; + u_int16_t match_flags, invert_flags; u_int8_t state_mask, status_mask; - u_int8_t match_flags, invert_flags; }; #endif /*_XT_CONNTRACK_H*/ -- cgit v1.2.2 From 000e8a53540b75a885efeb00ec1f1cb3c8d0bead Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Thu, 31 Jan 2008 03:58:56 -0800 Subject: [NETFILTER]: nf_log: add netfilter gcc printf format checking Signed-off-by: Helge Deller Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_log.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h index 037e82403f91..8c6b5ae45534 100644 --- a/include/net/netfilter/nf_log.h +++ b/include/net/netfilter/nf_log.h @@ -54,6 +54,6 @@ void nf_log_packet(int pf, const struct net_device *in, const struct net_device *out, const struct nf_loginfo *li, - const char *fmt, ...); + const char *fmt, ...) __attribute__ ((format(printf,7,8))); #endif /* _NF_LOG_H */ -- cgit v1.2.2 From abfdf1c48907f78ad7d943b77ea180bf5504564f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 03:59:24 -0800 Subject: [NETFILTER]: ebtables: remove casts, use consts Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/arp.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/net/arp.h b/include/net/arp.h index 752eb47b2678..c236270ec95e 100644 --- a/include/net/arp.h +++ b/include/net/arp.h @@ -13,15 +13,17 @@ extern int arp_find(unsigned char *haddr, struct sk_buff *skb); extern int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg); extern void arp_send(int type, int ptype, __be32 dest_ip, struct net_device *dev, __be32 src_ip, - unsigned char *dest_hw, unsigned char *src_hw, unsigned char *th); + const unsigned char *dest_hw, + const unsigned char *src_hw, const unsigned char *th); extern int arp_bind_neighbour(struct dst_entry *dst); extern int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir); extern void arp_ifdown(struct net_device *dev); extern struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, struct net_device *dev, __be32 src_ip, - unsigned char *dest_hw, unsigned char *src_hw, - unsigned char *target_hw); + const unsigned char *dest_hw, + const unsigned char *src_hw, + const unsigned char *target_hw); extern void arp_xmit(struct sk_buff *skb); extern struct neigh_ops arp_broken_ops; -- cgit v1.2.2 From a98da11d88dbec1d5cebe2c6dbe9939ed8d13f69 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:01:49 -0800 Subject: [NETFILTER]: x_tables: change xt_table_register() return value convention Switch from 0/-E to ptr/PTR_ERR convention. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/x_tables.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 90dc6ea2a683..937cebb3ab54 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -335,9 +335,9 @@ extern int xt_check_target(const struct xt_target *target, unsigned short family unsigned int size, const char *table, unsigned int hook, unsigned short proto, int inv_proto); -extern int xt_register_table(struct xt_table *table, - struct xt_table_info *bootstrap, - struct xt_table_info *newinfo); +extern struct xt_table *xt_register_table(struct xt_table *table, + struct xt_table_info *bootstrap, + struct xt_table_info *newinfo); extern void *xt_unregister_table(struct xt_table *table); extern struct xt_table_info *xt_replace_table(struct xt_table *table, -- cgit v1.2.2 From 8d870052079d255917ec4f8431f5ec102707b7af Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:02:13 -0800 Subject: [NETFILTER]: x_tables: per-netns xt_tables In fact all we want is per-netns set of rules, however doing that will unnecessary complicate routines such as ipt_hook()/ipt_do_table, so make full xt_table array per-netns. Every user stubbed with init_net for a while. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/x_tables.h | 6 ++++-- include/net/net_namespace.h | 4 ++++ include/net/netns/x_tables.h | 10 ++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 include/net/netns/x_tables.h (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 937cebb3ab54..91a1dd5b9c66 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -335,7 +335,8 @@ extern int xt_check_target(const struct xt_target *target, unsigned short family unsigned int size, const char *table, unsigned int hook, unsigned short proto, int inv_proto); -extern struct xt_table *xt_register_table(struct xt_table *table, +extern struct xt_table *xt_register_table(struct net *net, + struct xt_table *table, struct xt_table_info *bootstrap, struct xt_table_info *newinfo); extern void *xt_unregister_table(struct xt_table *table); @@ -352,7 +353,8 @@ extern struct xt_target *xt_request_find_target(int af, const char *name, extern int xt_find_revision(int af, const char *name, u8 revision, int target, int *err); -extern struct xt_table *xt_find_table_lock(int af, const char *name); +extern struct xt_table *xt_find_table_lock(struct net *net, int af, + const char *name); extern void xt_table_unlock(struct xt_table *t); extern int xt_proto_init(int af); diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index b8c1d60ba9e4..28738b7d53eb 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -12,6 +12,7 @@ #include #include #include +#include struct proc_dir_entry; struct net_device; @@ -56,6 +57,9 @@ struct net { #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) struct netns_ipv6 ipv6; #endif +#ifdef CONFIG_NETFILTER + struct netns_xt xt; +#endif }; #ifdef CONFIG_NET diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h new file mode 100644 index 000000000000..0cb63ed2c1fc --- /dev/null +++ b/include/net/netns/x_tables.h @@ -0,0 +1,10 @@ +#ifndef __NETNS_X_TABLES_H +#define __NETNS_X_TABLES_H + +#include +#include + +struct netns_xt { + struct list_head tables[NPROTO]; +}; +#endif -- cgit v1.2.2 From 44d34e721e2c81ccdfb13cf34996309247ae2981 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:02:44 -0800 Subject: [NETFILTER]: x_tables: return new table from {arp,ip,ip6}t_register_table() Typical table module registers xt_table structure (i.e. packet_filter) and link it to list during it. We can't use one template for it because corresponding list_head will become corrupted. We also can't unregister with template because it wasn't changed at all and thus doesn't know in which list it is. So, we duplicate template at the very first step of table registration. Table modules will save it for use during unregistration time and actual filtering. Do it at once to not screw bisection. P.S.: renaming i.e. packet_filter => __packet_filter is temporary until full netnsization of table modules is done. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_arp/arp_tables.h | 4 ++-- include/linux/netfilter_ipv4/ip_tables.h | 5 +++-- include/linux/netfilter_ipv6/ip6_tables.h | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index 53dd4df27aa1..f35486b3a7ca 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h @@ -271,8 +271,8 @@ struct arpt_error xt_register_target(tgt); }) #define arpt_unregister_target(tgt) xt_unregister_target(tgt) -extern int arpt_register_table(struct arpt_table *table, - const struct arpt_replace *repl); +extern struct arpt_table *arpt_register_table(struct arpt_table *table, + const struct arpt_replace *repl); extern void arpt_unregister_table(struct arpt_table *table); extern unsigned int arpt_do_table(struct sk_buff *skb, unsigned int hook, diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 45fcad91e67b..bfc889f90276 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -244,8 +244,9 @@ ipt_get_target(struct ipt_entry *e) #include extern void ipt_init(void) __init; -extern int ipt_register_table(struct xt_table *table, - const struct ipt_replace *repl); +extern struct xt_table *ipt_register_table(struct net *net, + struct xt_table *table, + const struct ipt_replace *repl); extern void ipt_unregister_table(struct xt_table *table); /* Standard entry. */ diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index 110801d699ee..f716c7506245 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -305,8 +305,8 @@ ip6t_get_target(struct ip6t_entry *e) #include extern void ip6t_init(void) __init; -extern int ip6t_register_table(struct xt_table *table, - const struct ip6t_replace *repl); +extern struct xt_table *ip6t_register_table(struct xt_table *table, + const struct ip6t_replace *repl); extern void ip6t_unregister_table(struct xt_table *table); extern unsigned int ip6t_do_table(struct sk_buff *skb, unsigned int hook, -- cgit v1.2.2 From 9335f047fe61587ec82ff12fbb1220bcfdd32006 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:03:23 -0800 Subject: [NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW Now, iptables show and configure different set of rules in different netnss'. Filtering decisions are still made by consulting only init_net's set. Changes are identical except naming so no splitting. P.S.: one need to remove init_net checks in nf_sockopt.c and inet_create() to see the effect. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 15a0b052df22..aeb0c3b8df11 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -27,5 +27,10 @@ struct netns_ipv4 { struct sock *fibnl; struct netns_frags frags; +#ifdef CONFIG_NETFILTER + struct xt_table *iptable_filter; + struct xt_table *iptable_mangle; + struct xt_table *iptable_raw; +#endif }; #endif -- cgit v1.2.2 From 336b517fdc0f92f54a3f77a2d0933f9556aa79ad Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:03:45 -0800 Subject: [NETFILTER]: ip6_tables: netns preparation * Propagate netns from userspace down to xt_find_table_lock() * Register ip6 tables in netns (modules still use init_net) Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv6/ip6_tables.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index f716c7506245..f2507dcc5750 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -305,7 +305,8 @@ ip6t_get_target(struct ip6t_entry *e) #include extern void ip6t_init(void) __init; -extern struct xt_table *ip6t_register_table(struct xt_table *table, +extern struct xt_table *ip6t_register_table(struct net *net, + struct xt_table *table, const struct ip6t_replace *repl); extern void ip6t_unregister_table(struct xt_table *table); extern unsigned int ip6t_do_table(struct sk_buff *skb, -- cgit v1.2.2 From 8280aa6182f03c4e27dc235ce0440bc94927dc28 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:04:13 -0800 Subject: [NETFILTER]: ip6_tables: per-netns IPv6 FILTER, MANGLE, RAW Now it's possible to list and manipulate per-netns ip6tables rules. Filtering decisions are based on init_net's table so far. P.S.: remove init_net check in inet6_create() to see the effect Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv6.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h index 187c4248df22..1dd7de4e4195 100644 --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h @@ -31,5 +31,10 @@ struct netns_ipv6 { struct ipv6_devconf *devconf_all; struct ipv6_devconf *devconf_dflt; struct netns_frags frags; +#ifdef CONFIG_NETFILTER + struct xt_table *ip6table_filter; + struct xt_table *ip6table_mangle; + struct xt_table *ip6table_raw; +#endif }; #endif -- cgit v1.2.2 From 79df341ab6c0b1eab77921265ddd1b17ec4db13a Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:04:32 -0800 Subject: [NETFILTER]: arp_tables: netns preparation * Propagate netns from userspace. * arpt_register_table() registers table in supplied netns. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_arp/arp_tables.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index f35486b3a7ca..db223ca92c8b 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h @@ -271,7 +271,8 @@ struct arpt_error xt_register_target(tgt); }) #define arpt_unregister_target(tgt) xt_unregister_target(tgt) -extern struct arpt_table *arpt_register_table(struct arpt_table *table, +extern struct arpt_table *arpt_register_table(struct net *net, + struct arpt_table *table, const struct arpt_replace *repl); extern void arpt_unregister_table(struct arpt_table *table); extern unsigned int arpt_do_table(struct sk_buff *skb, -- cgit v1.2.2 From 9ea0cb2601c4747dff758a9a7a5a4a433ad527f3 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:05:09 -0800 Subject: [NETFILTER]: arp_tables: per-netns arp_tables FILTER Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index aeb0c3b8df11..a9b4f6086294 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -31,6 +31,7 @@ struct netns_ipv4 { struct xt_table *iptable_filter; struct xt_table *iptable_mangle; struct xt_table *iptable_raw; + struct xt_table *arptable_filter; #endif }; #endif -- cgit v1.2.2 From edc26f7aaa23591c779d6d6fc833c0c96fbeb3c0 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:06:38 -0800 Subject: [NETFILTER]: xt_owner: allow matching UID/GID ranges Add support for ranges to the new revision. This doesn't affect compatibility since the new revision was not released yet. Signed-off-by: Jan Engelhardt Signed-off-by: David S. Miller --- include/linux/netfilter/xt_owner.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h index eacd34efebd5..c84e52cfe415 100644 --- a/include/linux/netfilter/xt_owner.h +++ b/include/linux/netfilter/xt_owner.h @@ -8,8 +8,8 @@ enum { }; struct xt_owner_match_info { - u_int32_t uid; - u_int32_t gid; + u_int32_t uid_min, uid_max; + u_int32_t gid_min, gid_max; u_int8_t match, invert; }; -- cgit v1.2.2 From 96eb24d770381b8a257b26183f6b6c131ad51ab9 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 31 Jan 2008 04:07:29 -0800 Subject: [NETFILTER]: nf_conntrack: sparse warnings The hashtable size is really unsigned so sparse complains when you pass a signed integer. Change all uses to make it consistent. Signed-off-by: Stephen Hemminger Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 857d89951790..dada0411abd1 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -171,9 +171,9 @@ static inline void nf_ct_put(struct nf_conn *ct) extern int nf_ct_l3proto_try_module_get(unsigned short l3proto); extern void nf_ct_l3proto_module_put(unsigned short l3proto); -extern struct hlist_head *nf_ct_alloc_hashtable(int *sizep, int *vmalloced); +extern struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced); extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, - int size); + unsigned int size); extern struct nf_conntrack_tuple_hash * __nf_conntrack_find(const struct nf_conntrack_tuple *tuple, -- cgit v1.2.2 From b0a6363c2418c93f25dd30b8ffcd3fdd4ce23ad6 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:10:18 -0800 Subject: [NETFILTER]: {ip,arp,ip6}_tables: fix sparse warnings in compat code CHECK net/ipv4/netfilter/ip_tables.c net/ipv4/netfilter/ip_tables.c:1453:8: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/ip_tables.c:1453:8: expected int *size net/ipv4/netfilter/ip_tables.c:1453:8: got unsigned int [usertype] *size net/ipv4/netfilter/ip_tables.c:1458:44: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/ip_tables.c:1458:44: expected int *size net/ipv4/netfilter/ip_tables.c:1458:44: got unsigned int [usertype] *size net/ipv4/netfilter/ip_tables.c:1603:2: warning: incorrect type in argument 2 (different signedness) net/ipv4/netfilter/ip_tables.c:1603:2: expected unsigned int *i net/ipv4/netfilter/ip_tables.c:1603:2: got int * net/ipv4/netfilter/ip_tables.c:1627:8: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/ip_tables.c:1627:8: expected int *size net/ipv4/netfilter/ip_tables.c:1627:8: got unsigned int *size net/ipv4/netfilter/ip_tables.c:1634:40: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/ip_tables.c:1634:40: expected int *size net/ipv4/netfilter/ip_tables.c:1634:40: got unsigned int *size net/ipv4/netfilter/ip_tables.c:1653:8: warning: incorrect type in argument 5 (different signedness) net/ipv4/netfilter/ip_tables.c:1653:8: expected unsigned int *i net/ipv4/netfilter/ip_tables.c:1653:8: got int * net/ipv4/netfilter/ip_tables.c:1666:2: warning: incorrect type in argument 2 (different signedness) net/ipv4/netfilter/ip_tables.c:1666:2: expected unsigned int *i net/ipv4/netfilter/ip_tables.c:1666:2: got int * CHECK net/ipv4/netfilter/arp_tables.c net/ipv4/netfilter/arp_tables.c:1285:40: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/arp_tables.c:1285:40: expected int *size net/ipv4/netfilter/arp_tables.c:1285:40: got unsigned int *size net/ipv4/netfilter/arp_tables.c:1543:44: warning: incorrect type in argument 3 (different signedness) net/ipv4/netfilter/arp_tables.c:1543:44: expected int *size net/ipv4/netfilter/arp_tables.c:1543:44: got unsigned int [usertype] *size CHECK net/ipv6/netfilter/ip6_tables.c net/ipv6/netfilter/ip6_tables.c:1481:8: warning: incorrect type in argument 3 (different signedness) net/ipv6/netfilter/ip6_tables.c:1481:8: expected int *size net/ipv6/netfilter/ip6_tables.c:1481:8: got unsigned int [usertype] *size net/ipv6/netfilter/ip6_tables.c:1486:44: warning: incorrect type in argument 3 (different signedness) net/ipv6/netfilter/ip6_tables.c:1486:44: expected int *size net/ipv6/netfilter/ip6_tables.c:1486:44: got unsigned int [usertype] *size net/ipv6/netfilter/ip6_tables.c:1631:2: warning: incorrect type in argument 2 (different signedness) net/ipv6/netfilter/ip6_tables.c:1631:2: expected unsigned int *i net/ipv6/netfilter/ip6_tables.c:1631:2: got int * net/ipv6/netfilter/ip6_tables.c:1655:8: warning: incorrect type in argument 3 (different signedness) net/ipv6/netfilter/ip6_tables.c:1655:8: expected int *size net/ipv6/netfilter/ip6_tables.c:1655:8: got unsigned int *size net/ipv6/netfilter/ip6_tables.c:1662:40: warning: incorrect type in argument 3 (different signedness) net/ipv6/netfilter/ip6_tables.c:1662:40: expected int *size net/ipv6/netfilter/ip6_tables.c:1662:40: got unsigned int *size net/ipv6/netfilter/ip6_tables.c:1680:8: warning: incorrect type in argument 5 (different signedness) net/ipv6/netfilter/ip6_tables.c:1680:8: expected unsigned int *i net/ipv6/netfilter/ip6_tables.c:1680:8: got int * net/ipv6/netfilter/ip6_tables.c:1693:2: warning: incorrect type in argument 2 (different signedness) net/ipv6/netfilter/ip6_tables.c:1693:2: expected unsigned int *i net/ipv6/netfilter/ip6_tables.c:1693:2: got int * Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/x_tables.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 91a1dd5b9c66..11eea39bbf7d 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -432,15 +432,15 @@ extern short xt_compat_calc_jump(int af, unsigned int offset); extern int xt_compat_match_offset(struct xt_match *match); extern int xt_compat_match_from_user(struct xt_entry_match *m, - void **dstptr, int *size); + void **dstptr, unsigned int *size); extern int xt_compat_match_to_user(struct xt_entry_match *m, - void __user **dstptr, int *size); + void __user **dstptr, unsigned int *size); extern int xt_compat_target_offset(struct xt_target *target); extern void xt_compat_target_from_user(struct xt_entry_target *t, - void **dstptr, int *size); + void **dstptr, unsigned int *size); extern int xt_compat_target_to_user(struct xt_entry_target *t, - void __user **dstptr, int *size); + void __user **dstptr, unsigned int *size); #endif /* CONFIG_COMPAT */ #endif /* __KERNEL__ */ -- cgit v1.2.2 From 58a3c9bb0c69f8517c2243cd0912b3f87b4f868c Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:36:54 -0800 Subject: [NETFILTER]: nf_conntrack: use RCU for conntrack helpers Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_helper.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 2f3af00643cf..4ca125e9b3ce 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -42,13 +42,9 @@ struct nf_conntrack_helper extern struct nf_conntrack_helper * __nf_ct_helper_find(const struct nf_conntrack_tuple *tuple); -extern struct nf_conntrack_helper * -nf_ct_helper_find_get( const struct nf_conntrack_tuple *tuple); - extern struct nf_conntrack_helper * __nf_conntrack_helper_find_byname(const char *name); -extern void nf_ct_helper_put(struct nf_conntrack_helper *helper); extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); -- cgit v1.2.2 From 7d0742da1c8f5df3a34030f0170b30d1a052be80 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:38:19 -0800 Subject: [NETFILTER]: nf_conntrack_expect: use RCU for expectation hash Use RCU for expectation hash. This doesn't buy much for conntrack runtime performance, but allows to reduce the use of nf_conntrack_lock for /proc and nf_netlink_conntrack. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_expect.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 6c3fd254c28e..cb608a1b44e5 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -49,6 +49,8 @@ struct nf_conntrack_expect /* Direction relative to the master connection. */ enum ip_conntrack_dir dir; #endif + + struct rcu_head rcu; }; #define NF_CT_EXPECT_PERMANENT 0x1 -- cgit v1.2.2 From 76507f69c44ed199a1a68086145398459e55835d Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:38:38 -0800 Subject: [NETFILTER]: nf_conntrack: use RCU for conntrack hash Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index dada0411abd1..561ae7658f55 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -129,6 +129,8 @@ struct nf_conn /* Extensions */ struct nf_ct_ext *ext; + + struct rcu_head rcu; }; static inline struct nf_conn * -- cgit v1.2.2 From f8ba1affa18398610e765736153fff614309ccc8 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:38:58 -0800 Subject: [NETFILTER]: nf_conntrack: switch rwlock to spinlock With the RCU conversion only write_lock usages of nf_conntrack_lock are left (except one read_lock that should actually use write_lock in the H.323 helper). Switch to a spinlock. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_core.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 7ad0828f05cf..2b9e5713585a 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -72,7 +72,7 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, struct nf_conntrack_l4proto *proto); extern struct hlist_head *nf_conntrack_hash; -extern rwlock_t nf_conntrack_lock ; +extern spinlock_t nf_conntrack_lock ; extern struct hlist_head unconfirmed; #endif /* _NF_CONNTRACK_CORE_H */ -- cgit v1.2.2 From ba419aff2cda91680e5d4d3eeff95df49bd2edec Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:39:23 -0800 Subject: [NETFILTER]: nf_conntrack: optimize __nf_conntrack_find() Ignoring specific entries in __nf_conntrack_find() is only needed by NAT for nf_conntrack_tuple_taken(). Remove it from __nf_conntrack_find() and make nf_conntrack_tuple_taken() search the hash itself. Saves 54 bytes of text in the hotpath on x86_64: __nf_conntrack_find | -54 # 321 -> 267, # inlines: 3 -> 2, size inlines: 181 -> 127 nf_conntrack_tuple_taken | +305 # 15 -> 320, lexblocks: 0 -> 3, # inlines: 0 -> 3, size inlines: 0 -> 181 nf_conntrack_find_get | -2 # 90 -> 88 3 functions changed, 305 bytes added, 56 bytes removed, diff: +249 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 561ae7658f55..14e0cc8364f2 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -178,8 +178,7 @@ extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, unsigned int size); extern struct nf_conntrack_tuple_hash * -__nf_conntrack_find(const struct nf_conntrack_tuple *tuple, - const struct nf_conn *ignored_conntrack); +__nf_conntrack_find(const struct nf_conntrack_tuple *tuple); extern void nf_conntrack_hash_insert(struct nf_conn *ct); -- cgit v1.2.2 From 380517dead6ab86d7249a1723f07f2f1b10af5f6 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:40:04 -0800 Subject: [NETFILTER]: nf_conntrack: avoid duplicate protocol comparison in nf_ct_tuple_equal() nf_ct_tuple_src_equal() and nf_ct_tuple_dst_equal() both compare the protocol numbers. Unfortunately gcc doesn't optimize out the second comparison, so remove it and prefix both functions with __ to indicate that they should not be used directly. Saves another 16 byte of text in __nf_conntrack_find() on x86_64: nf_conntrack_tuple_taken | -20 # 320 -> 300, size inlines: 181 -> 161 __nf_conntrack_find | -16 # 267 -> 251, size inlines: 127 -> 115 __nf_conntrack_confirm | -40 # 875 -> 835, size inlines: 570 -> 537 3 functions changed, 76 bytes removed Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_tuple.h | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h index 45cb17cdcfd0..e69ab2e87597 100644 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ b/include/net/netfilter/nf_conntrack_tuple.h @@ -132,34 +132,33 @@ struct nf_conntrack_tuple_hash #endif /* __KERNEL__ */ -static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2) +static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, + const struct nf_conntrack_tuple *t2) { return (t1->src.u3.all[0] == t2->src.u3.all[0] && t1->src.u3.all[1] == t2->src.u3.all[1] && t1->src.u3.all[2] == t2->src.u3.all[2] && t1->src.u3.all[3] == t2->src.u3.all[3] && t1->src.u.all == t2->src.u.all && - t1->src.l3num == t2->src.l3num && - t1->dst.protonum == t2->dst.protonum); + t1->src.l3num == t2->src.l3num); } -static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2) +static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, + const struct nf_conntrack_tuple *t2) { return (t1->dst.u3.all[0] == t2->dst.u3.all[0] && t1->dst.u3.all[1] == t2->dst.u3.all[1] && t1->dst.u3.all[2] == t2->dst.u3.all[2] && t1->dst.u3.all[3] == t2->dst.u3.all[3] && t1->dst.u.all == t2->dst.u.all && - t1->src.l3num == t2->src.l3num && t1->dst.protonum == t2->dst.protonum); } static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, const struct nf_conntrack_tuple *t2) { - return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); + return __nf_ct_tuple_src_equal(t1, t2) && + __nf_ct_tuple_dst_equal(t1, t2); } static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, @@ -199,7 +198,7 @@ static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, const struct nf_conntrack_tuple_mask *mask) { return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && - nf_ct_tuple_dst_equal(t, tuple); + __nf_ct_tuple_dst_equal(t, tuple); } #endif /* _NF_CONNTRACK_TUPLE_H */ -- cgit v1.2.2 From ffaa9c100bd75c81744a2b7800a45daba53db0eb Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:41:14 -0800 Subject: [NETFILTER]: nf_conntrack: reorder struct nf_conntrack_l4proto Reorder struct nf_conntrack_l4proto so all members used during packet processing are in the same cacheline. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_l4proto.h | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index fb50c217ba0a..84892cc1d603 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h @@ -23,9 +23,6 @@ struct nf_conntrack_l4proto /* L4 Protocol number. */ u_int8_t l4proto; - /* Protocol name */ - const char *name; - /* Try to fill in the third arg: dataoff is offset past network protocol hdr. Return true if possible. */ int (*pkt_to_tuple)(const struct sk_buff *skb, @@ -38,13 +35,6 @@ struct nf_conntrack_l4proto int (*invert_tuple)(struct nf_conntrack_tuple *inverse, const struct nf_conntrack_tuple *orig); - /* Print out the per-protocol part of the tuple. Return like seq_* */ - int (*print_tuple)(struct seq_file *s, - const struct nf_conntrack_tuple *); - - /* Print out the private part of the conntrack. */ - int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); - /* Returns verdict for packet, or -1 for invalid. */ int (*packet)(struct nf_conn *conntrack, const struct sk_buff *skb, @@ -65,6 +55,13 @@ struct nf_conntrack_l4proto enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum); + /* Print out the per-protocol part of the tuple. Return like seq_* */ + int (*print_tuple)(struct seq_file *s, + const struct nf_conntrack_tuple *); + + /* Print out the private part of the conntrack. */ + int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); + /* convert protoinfo to nfnetink attributes */ int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla, const struct nf_conn *ct); @@ -87,6 +84,8 @@ struct nf_conntrack_l4proto struct ctl_table *ctl_compat_table; #endif #endif + /* Protocol name */ + const char *name; /* Module (if any) which this is connected to. */ struct module *me; -- cgit v1.2.2 From c88130bcd546e73e66165f9c29113dae9facf1ec Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 04:42:11 -0800 Subject: [NETFILTER]: nf_conntrack: naming unification Rename all "conntrack" variables to "ct" for more consistency and avoiding some overly long lines. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack.h | 4 ++-- include/net/netfilter/nf_conntrack_l3proto.h | 4 ++-- include/net/netfilter/nf_conntrack_l4proto.h | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 14e0cc8364f2..bda78a286e2b 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -145,7 +145,7 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) /* Alter reply tuple (maybe alter helper). */ extern void -nf_conntrack_alter_reply(struct nf_conn *conntrack, +nf_conntrack_alter_reply(struct nf_conn *ct, const struct nf_conntrack_tuple *newreply); /* Is this tuple taken? (ignoring any belonging to the given @@ -218,7 +218,7 @@ static inline void nf_ct_refresh(struct nf_conn *ct, /* Update TCP window tracking data when NAT mangles the packet */ extern void nf_conntrack_tcp_update(struct sk_buff *skb, unsigned int dataoff, - struct nf_conn *conntrack, + struct nf_conn *ct, int dir); /* Fake conntrack entry for untracked connections */ diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index d5526bcce147..b886e3ae6cad 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h @@ -43,7 +43,7 @@ struct nf_conntrack_l3proto const struct nf_conntrack_tuple *); /* Returns verdict for packet, or -1 for invalid. */ - int (*packet)(struct nf_conn *conntrack, + int (*packet)(struct nf_conn *ct, const struct sk_buff *skb, enum ip_conntrack_info ctinfo); @@ -51,7 +51,7 @@ struct nf_conntrack_l3proto * Called when a new connection for this protocol found; * returns TRUE if it's OK. If so, packet() called next. */ - int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb); + int (*new)(struct nf_conn *ct, const struct sk_buff *skb); /* * Called before tracking. diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index 84892cc1d603..efc16eccddb1 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h @@ -36,7 +36,7 @@ struct nf_conntrack_l4proto const struct nf_conntrack_tuple *orig); /* Returns verdict for packet, or -1 for invalid. */ - int (*packet)(struct nf_conn *conntrack, + int (*packet)(struct nf_conn *ct, const struct sk_buff *skb, unsigned int dataoff, enum ip_conntrack_info ctinfo, @@ -45,11 +45,11 @@ struct nf_conntrack_l4proto /* Called when a new connection for this protocol found; * returns TRUE if it's OK. If so, packet() called next. */ - int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb, + int (*new)(struct nf_conn *ct, const struct sk_buff *skb, unsigned int dataoff); /* Called when a conntrack entry is destroyed */ - void (*destroy)(struct nf_conn *conntrack); + void (*destroy)(struct nf_conn *ct); int (*error)(struct sk_buff *skb, unsigned int dataoff, enum ip_conntrack_info *ctinfo, -- cgit v1.2.2 From 09e410def6432458c7d7e771a1807b157f4c2577 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:48:13 -0800 Subject: [NETFILTER]: xt_hashlimit match, revision 1 Introduces the xt_hashlimit match revision 1. It adds support for kernel-level inversion and grouping source and/or destination IP addresses, allowing to limit on a per-subnet basis. While this would technically obsolete xt_limit, xt_hashlimit is a more expensive due to the hashbucketing. Kernel-level inversion: Previously you had to do user-level inversion: iptables -N foo iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN iptables -A foo -j DROP iptables -A INPUT -j foo now it is simpler: iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/xt_hashlimit.h | 37 +++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h index c19972e4564d..58b818ee41ca 100644 --- a/include/linux/netfilter/xt_hashlimit.h +++ b/include/linux/netfilter/xt_hashlimit.h @@ -9,13 +9,16 @@ /* details of this structure hidden by the implementation */ struct xt_hashlimit_htable; -#define XT_HASHLIMIT_HASH_DIP 0x0001 -#define XT_HASHLIMIT_HASH_DPT 0x0002 -#define XT_HASHLIMIT_HASH_SIP 0x0004 -#define XT_HASHLIMIT_HASH_SPT 0x0008 +enum { + XT_HASHLIMIT_HASH_DIP = 1 << 0, + XT_HASHLIMIT_HASH_DPT = 1 << 1, + XT_HASHLIMIT_HASH_SIP = 1 << 2, + XT_HASHLIMIT_HASH_SPT = 1 << 3, + XT_HASHLIMIT_INVERT = 1 << 4, +}; struct hashlimit_cfg { - u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */ + u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ u_int32_t avg; /* Average secs between packets * scale */ u_int32_t burst; /* Period multiplier for upper limit. */ @@ -37,4 +40,28 @@ struct xt_hashlimit_info { struct xt_hashlimit_info *master; } u; }; + +struct hashlimit_cfg1 { + u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + + /* user specified */ + u_int32_t size; /* how many buckets */ + u_int32_t max; /* max number of entries */ + u_int32_t gc_interval; /* gc interval */ + u_int32_t expire; /* when do entries expire? */ + + u_int8_t srcmask, dstmask; +}; + +struct xt_hashlimit_mtinfo1 { + char name[IFNAMSIZ]; + struct hashlimit_cfg1 cfg; + + /* Used internally by the kernel */ + struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); + struct xt_hashlimit_mtinfo1 *master __attribute__((aligned(8))); +}; + #endif /*_XT_HASHLIMIT_H*/ -- cgit v1.2.2 From 3cb609d57c20027a8b39fc60b79b930a89da82d4 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:49:35 -0800 Subject: [NETFILTER]: x_tables: create per-netns /proc/net/*_tables_* Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/x_tables.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 11eea39bbf7d..b2c62cc618f5 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -357,8 +357,8 @@ extern struct xt_table *xt_find_table_lock(struct net *net, int af, const char *name); extern void xt_table_unlock(struct xt_table *t); -extern int xt_proto_init(int af); -extern void xt_proto_fini(int af); +extern int xt_proto_init(struct net *net, int af); +extern void xt_proto_fini(struct net *net, int af); extern struct xt_table_info *xt_alloc_table_info(unsigned int size); extern void xt_free_table_info(struct xt_table_info *info); -- cgit v1.2.2 From 13f7d63c2911c9d1a254d13899986fc801641127 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:50:25 -0800 Subject: [NETFILTER]: nf_{conntrack,nat}_sip: annotate SIP helper with const Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nf_conntrack_sip.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h index 9fff19779bd5..8e5ce1ca7bfc 100644 --- a/include/linux/netfilter/nf_conntrack_sip.h +++ b/include/linux/netfilter/nf_conntrack_sip.h @@ -30,9 +30,9 @@ extern unsigned int (*nf_nat_sdp_hook)(struct sk_buff *skb, struct nf_conntrack_expect *exp, const char *dptr); -extern int ct_sip_get_info(struct nf_conn *ct, const char *dptr, size_t dlen, - unsigned int *matchoff, unsigned int *matchlen, - enum sip_header_pos pos); +extern int ct_sip_get_info(const struct nf_conn *ct, const char *dptr, + size_t dlen, unsigned int *matchoff, + unsigned int *matchlen, enum sip_header_pos pos); extern int ct_sip_lnlen(const char *line, const char *limit); extern const char *ct_sip_search(const char *needle, const char *haystack, size_t needle_len, size_t haystack_len, -- cgit v1.2.2 From 9ddd0ed050445176a97e11b2b24d6fbc01843da6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:51:23 -0800 Subject: [NETFILTER]: nf_{conntrack,nat}_pptp: annotate PPtP helper with const Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nf_conntrack_pptp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/netfilter/nf_conntrack_pptp.h b/include/linux/netfilter/nf_conntrack_pptp.h index 23435496d24a..3bbde0c3a8a6 100644 --- a/include/linux/netfilter/nf_conntrack_pptp.h +++ b/include/linux/netfilter/nf_conntrack_pptp.h @@ -4,7 +4,7 @@ #include -extern const char *pptp_msg_name[]; +extern const char *const pptp_msg_name[]; /* state of the control session */ enum pptp_ctrlsess_state { -- cgit v1.2.2 From 82f568fc2f6bcab18e4c80291d21f7f8463ee698 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:52:07 -0800 Subject: [NETFILTER]: nf_{conntrack,nat}_proto_tcp: constify and annotate TCP modules Constify a few data tables use const qualifiers on variables where possible in the nf_*_proto_tcp sources. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index bda78a286e2b..90b3e7f5df5f 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -216,7 +216,7 @@ static inline void nf_ct_refresh(struct nf_conn *ct, /* These are for NAT. Icky. */ /* Update TCP window tracking data when NAT mangles the packet */ -extern void nf_conntrack_tcp_update(struct sk_buff *skb, +extern void nf_conntrack_tcp_update(const struct sk_buff *skb, unsigned int dataoff, struct nf_conn *ct, int dir); -- cgit v1.2.2 From 32948588ac4ec54300bae1037e839277fd4536e2 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 31 Jan 2008 04:53:24 -0800 Subject: [NETFILTER]: nf_conntrack: annotate l3protos with const Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_core.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 2b9e5713585a..9ee26469c759 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -68,8 +68,8 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb) int print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, - struct nf_conntrack_l3proto *l3proto, - struct nf_conntrack_l4proto *proto); + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_l4proto *proto); extern struct hlist_head *nf_conntrack_hash; extern spinlock_t nf_conntrack_lock ; -- cgit v1.2.2 From 535174efbe0f0454f0595c31b823498c197eeb4f Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 31 Jan 2008 05:03:27 -0800 Subject: [IPV6]: Introduce the INET6_TW_MATCH macro. We have INET_MATCH, INET_TW_MATCH and INET6_MATCH to test sockets and twbuckets for matching, but ipv6 twbuckets are tested manually. Here's the INET6_TW_MATCH to help with it. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/linux/ipv6.h | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include') diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 5d35a4cc3bff..c34786044a1b 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -465,6 +465,14 @@ static inline struct raw6_sock *raw6_sk(const struct sock *sk) ipv6_addr_equal(&inet6_sk(__sk)->rcv_saddr, (__daddr)) && \ (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) +#define INET6_TW_MATCH(__sk, __hash, __saddr, __daddr, __ports, __dif) \ + (((__sk)->sk_hash == (__hash)) && \ + (*((__portpair *)&(inet_twsk(__sk)->tw_dport)) == (__ports)) && \ + ((__sk)->sk_family == PF_INET6) && \ + (ipv6_addr_equal(&inet6_twsk(__sk)->tw_v6_daddr, (__saddr))) && \ + (ipv6_addr_equal(&inet6_twsk(__sk)->tw_v6_rcv_saddr, (__daddr))) && \ + (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) + #endif /* __KERNEL__ */ #endif /* _IPV6_H */ -- cgit v1.2.2 From 5ee31fc1ecdcbc234c8c56dcacef87c8e09909d8 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 31 Jan 2008 05:04:45 -0800 Subject: [INET]: Consolidate inet(6)_hash_connect. These two functions are the same except for what they call to "check_established" and "hash" for a socket. This saves half-a-kilo for ipv4 and ipv6. add/remove: 1/0 grow/shrink: 1/4 up/down: 582/-1128 (-546) function old new delta __inet_hash_connect - 577 +577 arp_ignore 108 113 +5 static.hint 8 4 -4 rt_worker_func 376 372 -4 inet6_hash_connect 584 25 -559 inet_hash_connect 586 25 -561 Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/inet_hashtables.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index 761bdc01425d..a34a8f25fc57 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -413,6 +413,11 @@ static inline struct sock *inet_lookup(struct inet_hashinfo *hashinfo, return sk; } +extern int __inet_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk, + int (*check_established)(struct inet_timewait_death_row *, + struct sock *, __u16, struct inet_timewait_sock **), + void (*hash)(struct inet_hashinfo *, struct sock *)); extern int inet_hash_connect(struct inet_timewait_death_row *death_row, struct sock *sk); #endif /* _INET_HASHTABLES_H */ -- cgit v1.2.2 From 941b1d22cc035ad58b3d9b44a1c74efac2d7e499 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 31 Jan 2008 05:05:50 -0800 Subject: [NETNS]: Make bind buckets live in net namespaces. This tags the inet_bind_bucket struct with net pointer, initializes it during creation and makes a filtering during lookup. A better hashfn, that takes the net into account is to be done in the future, but currently all bind buckets with similar port will be in one hash chain. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/inet_hashtables.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index a34a8f25fc57..55532b9bb59a 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -74,6 +74,7 @@ struct inet_ehash_bucket { * ports are created in O(1) time? I thought so. ;-) -DaveM */ struct inet_bind_bucket { + struct net *ib_net; unsigned short port; signed short fastreuse; struct hlist_node node; @@ -194,6 +195,7 @@ static inline void inet_ehash_locks_free(struct inet_hashinfo *hashinfo) extern struct inet_bind_bucket * inet_bind_bucket_create(struct kmem_cache *cachep, + struct net *net, struct inet_bind_hashbucket *head, const unsigned short snum); extern void inet_bind_bucket_destroy(struct kmem_cache *cachep, -- cgit v1.2.2 From c67499c0e772064b37ad75eb69b28fc218752636 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 31 Jan 2008 05:06:40 -0800 Subject: [NETNS]: Tcp-v4 sockets per-net lookup. Add a net argument to inet_lookup and propagate it further into lookup calls. Plus tune the __inet_check_established. The dccp and inet_diag, which use that lookup functions pass the init_net into them. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/inet_hashtables.h | 48 ++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 21 deletions(-) (limited to 'include') diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index 55532b9bb59a..c23c4ed30724 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -302,15 +302,17 @@ out: wake_up(&hashinfo->lhash_wait); } -extern struct sock *__inet_lookup_listener(struct inet_hashinfo *hashinfo, +extern struct sock *__inet_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, const __be32 daddr, const unsigned short hnum, const int dif); -static inline struct sock *inet_lookup_listener(struct inet_hashinfo *hashinfo, - __be32 daddr, __be16 dport, int dif) +static inline struct sock *inet_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, + __be32 daddr, __be16 dport, int dif) { - return __inet_lookup_listener(hashinfo, daddr, ntohs(dport), dif); + return __inet_lookup_listener(net, hashinfo, daddr, ntohs(dport), dif); } /* Socket demux engine toys. */ @@ -344,26 +346,26 @@ typedef __u64 __bitwise __addrpair; (((__force __u64)(__be32)(__daddr)) << 32) | \ ((__force __u64)(__be32)(__saddr))); #endif /* __BIG_ENDIAN */ -#define INET_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif)\ - (((__sk)->sk_hash == (__hash)) && \ +#define INET_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif)\ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ ((*((__addrpair *)&(inet_sk(__sk)->daddr))) == (__cookie)) && \ ((*((__portpair *)&(inet_sk(__sk)->dport))) == (__ports)) && \ (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) -#define INET_TW_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif)\ - (((__sk)->sk_hash == (__hash)) && \ +#define INET_TW_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif)\ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ ((*((__addrpair *)&(inet_twsk(__sk)->tw_daddr))) == (__cookie)) && \ ((*((__portpair *)&(inet_twsk(__sk)->tw_dport))) == (__ports)) && \ (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) #else /* 32-bit arch */ #define INET_ADDR_COOKIE(__name, __saddr, __daddr) -#define INET_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif) \ - (((__sk)->sk_hash == (__hash)) && \ +#define INET_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif) \ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ (inet_sk(__sk)->daddr == (__saddr)) && \ (inet_sk(__sk)->rcv_saddr == (__daddr)) && \ ((*((__portpair *)&(inet_sk(__sk)->dport))) == (__ports)) && \ (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) -#define INET_TW_MATCH(__sk, __hash,__cookie, __saddr, __daddr, __ports, __dif) \ - (((__sk)->sk_hash == (__hash)) && \ +#define INET_TW_MATCH(__sk, __net, __hash,__cookie, __saddr, __daddr, __ports, __dif) \ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ (inet_twsk(__sk)->tw_daddr == (__saddr)) && \ (inet_twsk(__sk)->tw_rcv_saddr == (__daddr)) && \ ((*((__portpair *)&(inet_twsk(__sk)->tw_dport))) == (__ports)) && \ @@ -376,32 +378,36 @@ typedef __u64 __bitwise __addrpair; * * Local BH must be disabled here. */ -extern struct sock * __inet_lookup_established(struct inet_hashinfo *hashinfo, +extern struct sock * __inet_lookup_established(struct net *net, + struct inet_hashinfo *hashinfo, const __be32 saddr, const __be16 sport, const __be32 daddr, const u16 hnum, const int dif); static inline struct sock * - inet_lookup_established(struct inet_hashinfo *hashinfo, + inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo, const __be32 saddr, const __be16 sport, const __be32 daddr, const __be16 dport, const int dif) { - return __inet_lookup_established(hashinfo, saddr, sport, daddr, + return __inet_lookup_established(net, hashinfo, saddr, sport, daddr, ntohs(dport), dif); } -static inline struct sock *__inet_lookup(struct inet_hashinfo *hashinfo, +static inline struct sock *__inet_lookup(struct net *net, + struct inet_hashinfo *hashinfo, const __be32 saddr, const __be16 sport, const __be32 daddr, const __be16 dport, const int dif) { u16 hnum = ntohs(dport); - struct sock *sk = __inet_lookup_established(hashinfo, saddr, sport, daddr, - hnum, dif); - return sk ? : __inet_lookup_listener(hashinfo, daddr, hnum, dif); + struct sock *sk = __inet_lookup_established(net, hashinfo, + saddr, sport, daddr, hnum, dif); + + return sk ? : __inet_lookup_listener(net, hashinfo, daddr, hnum, dif); } -static inline struct sock *inet_lookup(struct inet_hashinfo *hashinfo, +static inline struct sock *inet_lookup(struct net *net, + struct inet_hashinfo *hashinfo, const __be32 saddr, const __be16 sport, const __be32 daddr, const __be16 dport, const int dif) @@ -409,7 +415,7 @@ static inline struct sock *inet_lookup(struct inet_hashinfo *hashinfo, struct sock *sk; local_bh_disable(); - sk = __inet_lookup(hashinfo, saddr, sport, daddr, dport, dif); + sk = __inet_lookup(net, hashinfo, saddr, sport, daddr, dport, dif); local_bh_enable(); return sk; -- cgit v1.2.2 From d86e0dac2ce412715181f792aa0749fe3effff11 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 31 Jan 2008 05:07:21 -0800 Subject: [NETNS]: Tcp-v6 sockets per-net lookup. Add a net argument to inet6_lookup and propagate it further. Actually, this is tcp-v6 implementation of what was done for tcp-v4 sockets in a previous patch. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/linux/ipv6.h | 8 ++++---- include/net/inet6_hashtables.h | 17 ++++++++++------- 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'include') diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index c34786044a1b..4aaefc349a4b 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -457,16 +457,16 @@ static inline struct raw6_sock *raw6_sk(const struct sock *sk) #define inet_v6_ipv6only(__sk) 0 #endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */ -#define INET6_MATCH(__sk, __hash, __saddr, __daddr, __ports, __dif)\ - (((__sk)->sk_hash == (__hash)) && \ +#define INET6_MATCH(__sk, __net, __hash, __saddr, __daddr, __ports, __dif)\ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ ((*((__portpair *)&(inet_sk(__sk)->dport))) == (__ports)) && \ ((__sk)->sk_family == AF_INET6) && \ ipv6_addr_equal(&inet6_sk(__sk)->daddr, (__saddr)) && \ ipv6_addr_equal(&inet6_sk(__sk)->rcv_saddr, (__daddr)) && \ (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif)))) -#define INET6_TW_MATCH(__sk, __hash, __saddr, __daddr, __ports, __dif) \ - (((__sk)->sk_hash == (__hash)) && \ +#define INET6_TW_MATCH(__sk, __net, __hash, __saddr, __daddr, __ports, __dif) \ + (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net)) && \ (*((__portpair *)&(inet_twsk(__sk)->tw_dport)) == (__ports)) && \ ((__sk)->sk_family == PF_INET6) && \ (ipv6_addr_equal(&inet6_twsk(__sk)->tw_v6_daddr, (__saddr))) && \ diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h index 668056b4bb0b..fdff630708ce 100644 --- a/include/net/inet6_hashtables.h +++ b/include/net/inet6_hashtables.h @@ -57,34 +57,37 @@ extern void __inet6_hash(struct inet_hashinfo *hashinfo, struct sock *sk); * * The sockhash lock must be held as a reader here. */ -extern struct sock *__inet6_lookup_established(struct inet_hashinfo *hashinfo, +extern struct sock *__inet6_lookup_established(struct net *net, + struct inet_hashinfo *hashinfo, const struct in6_addr *saddr, const __be16 sport, const struct in6_addr *daddr, const u16 hnum, const int dif); -extern struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo, +extern struct sock *inet6_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, const struct in6_addr *daddr, const unsigned short hnum, const int dif); -static inline struct sock *__inet6_lookup(struct inet_hashinfo *hashinfo, +static inline struct sock *__inet6_lookup(struct net *net, + struct inet_hashinfo *hashinfo, const struct in6_addr *saddr, const __be16 sport, const struct in6_addr *daddr, const u16 hnum, const int dif) { - struct sock *sk = __inet6_lookup_established(hashinfo, saddr, sport, - daddr, hnum, dif); + struct sock *sk = __inet6_lookup_established(net, hashinfo, saddr, + sport, daddr, hnum, dif); if (sk) return sk; - return inet6_lookup_listener(hashinfo, daddr, hnum, dif); + return inet6_lookup_listener(net, hashinfo, daddr, hnum, dif); } -extern struct sock *inet6_lookup(struct inet_hashinfo *hashinfo, +extern struct sock *inet6_lookup(struct net *net, struct inet_hashinfo *hashinfo, const struct in6_addr *saddr, const __be16 sport, const struct in6_addr *daddr, const __be16 dport, const int dif); -- cgit v1.2.2 From 71d67e666e73e3b7e9ef124745ee2e454ac04be8 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 31 Jan 2008 16:45:47 -0800 Subject: [IPV4] fib_trie: rescan if key is lost during dump Normally during a dump the key of the last dumped entry is used for continuation, but since lock is dropped it might be lost. In that case fallback to the old counter based N^2 behaviour. This means the dump will end up skipping some routes which matches what FIB_HASH does. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- include/linux/netlink.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/netlink.h b/include/linux/netlink.h index bd13b6f4a98e..fb0713b6ffaf 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h @@ -219,7 +219,7 @@ struct netlink_callback int (*dump)(struct sk_buff * skb, struct netlink_callback *cb); int (*done)(struct netlink_callback *cb); int family; - long args[5]; + long args[6]; }; struct netlink_notify -- cgit v1.2.2 From e83a2ea850bf0c0c81c675444080970fc07798c6 Mon Sep 17 00:00:00 2001 From: Chris Leech Date: Thu, 31 Jan 2008 16:53:23 -0800 Subject: [VLAN]: set_rx_mode support for unicast address list Reuse the existing logic for multicast list synchronization for the unicast address list. The core of dev_mc_sync/unsync are split out as __dev_addr_sync/unsync and moved from dev_mcast.c to dev.c. These are then used to implement dev_unicast_sync/unsync as well. I'm working on cleaning up Intel's FCoE stack, which generates new MAC addresses from the fibre channel device id assigned by the fabric as per the current draft specification in T11. When using such a protocol in a VLAN environment it would be nice to not always be forced into promiscuous mode, assuming the underlying Ethernet driver supports multiple unicast addresses as well. Signed-off-by: Chris Leech Signed-off-by: Patrick McHardy --- include/linux/netdevice.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include') diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index b0813c3286b1..047d432bde55 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1414,12 +1414,16 @@ extern void dev_set_rx_mode(struct net_device *dev); extern void __dev_set_rx_mode(struct net_device *dev); extern int dev_unicast_delete(struct net_device *dev, void *addr, int alen); extern int dev_unicast_add(struct net_device *dev, void *addr, int alen); +extern int dev_unicast_sync(struct net_device *to, struct net_device *from); +extern void dev_unicast_unsync(struct net_device *to, struct net_device *from); extern int dev_mc_delete(struct net_device *dev, void *addr, int alen, int all); extern int dev_mc_add(struct net_device *dev, void *addr, int alen, int newonly); extern int dev_mc_sync(struct net_device *to, struct net_device *from); extern void dev_mc_unsync(struct net_device *to, struct net_device *from); extern int __dev_addr_delete(struct dev_addr_list **list, int *count, void *addr, int alen, int all); extern int __dev_addr_add(struct dev_addr_list **list, int *count, void *addr, int alen, int newonly); +extern int __dev_addr_sync(struct dev_addr_list **to, int *to_count, struct dev_addr_list **from, int *from_count); +extern void __dev_addr_unsync(struct dev_addr_list **to, int *to_count, struct dev_addr_list **from, int *from_count); extern void dev_set_promiscuity(struct net_device *dev, int inc); extern void dev_set_allmulti(struct net_device *dev, int inc); extern void netdev_state_change(struct net_device *dev); -- cgit v1.2.2 From 29e75252da20f3ab9e132c68c9aed156b87beae6 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 31 Jan 2008 17:05:09 -0800 Subject: [IPV4] route cache: Introduce rt_genid for smooth cache invalidation Current ip route cache implementation is not suited to large caches. We can consume a lot of CPU when cache must be invalidated, since we currently need to evict all cache entries, and this eviction is sometimes asynchronous. min_delay & max_delay can somewhat control this asynchronism behavior, but whole thing is a kludge, regularly triggering infamous soft lockup messages. When entries are still in use, this also consumes a lot of ram, filling dst_garbage.list. A better scheme is to use a generation identifier on each entry, so that cache invalidation can be performed by changing the table identifier, without having to scan all entries. No more delayed flushing, no more stalling when secret_interval expires. Invalidated entries will then be freed at GC time (controled by ip_rt_gc_timeout or stress), or when an invalidated entry is found in a chain when an insert is done. Thus we keep a normal equilibrium. This patch : - renames rt_hash_rnd to rt_genid (and makes it an atomic_t) - Adds a new rt_genid field to 'struct rtable' (filling a hole on 64bit) - Checks entry->rt_genid at appropriate places : --- include/linux/sysctl.h | 4 ++-- include/net/route.h | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index 89faebfe48b8..bf4ae4e138f7 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -440,8 +440,8 @@ enum enum { NET_IPV4_ROUTE_FLUSH=1, - NET_IPV4_ROUTE_MIN_DELAY=2, - NET_IPV4_ROUTE_MAX_DELAY=3, + NET_IPV4_ROUTE_MIN_DELAY=2, /* obsolete since 2.6.25 */ + NET_IPV4_ROUTE_MAX_DELAY=3, /* obsolete since 2.6.25 */ NET_IPV4_ROUTE_GC_THRESH=4, NET_IPV4_ROUTE_MAX_SIZE=5, NET_IPV4_ROUTE_GC_MIN_INTERVAL=6, diff --git a/include/net/route.h b/include/net/route.h index fcc6d5b35863..eadad5901429 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -62,6 +62,7 @@ struct rtable struct in_device *idev; + int rt_genid; unsigned rt_flags; __u16 rt_type; -- cgit v1.2.2 From 9472c9ef645d03ea823801d7716e658aeaf894e4 Mon Sep 17 00:00:00 2001 From: Masahide NAKAMURA Date: Thu, 31 Jan 2008 17:14:58 -0800 Subject: [XFRM]: Fix statistics. o Outbound sequence number overflow error status is counted as XfrmOutStateSeqError. o Additionaly, it changes inbound sequence number replay error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError to apply name scheme above. o Inbound IPv4 UDP encapsuling type mismatch error is wrongly mapped to XfrmInStateInvalid then this patch fiex the error to XfrmInStateMismatch. Signed-off-by: Masahide NAKAMURA Signed-off-by: David S. Miller --- include/linux/snmp.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 86d3effb2836..5df62ef1280c 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h @@ -227,7 +227,7 @@ enum LINUX_MIB_XFRMINNOSTATES, /* XfrmInNoStates */ LINUX_MIB_XFRMINSTATEPROTOERROR, /* XfrmInStateProtoError */ LINUX_MIB_XFRMINSTATEMODEERROR, /* XfrmInStateModeError */ - LINUX_MIB_XFRMINSEQOUTOFWINDOW, /* XfrmInSeqOutOfWindow */ + LINUX_MIB_XFRMINSTATESEQERROR, /* XfrmInStateSeqError */ LINUX_MIB_XFRMINSTATEEXPIRED, /* XfrmInStateExpired */ LINUX_MIB_XFRMINSTATEMISMATCH, /* XfrmInStateMismatch */ LINUX_MIB_XFRMINSTATEINVALID, /* XfrmInStateInvalid */ @@ -241,6 +241,7 @@ enum LINUX_MIB_XFRMOUTNOSTATES, /* XfrmOutNoStates */ LINUX_MIB_XFRMOUTSTATEPROTOERROR, /* XfrmOutStateProtoError */ LINUX_MIB_XFRMOUTSTATEMODEERROR, /* XfrmOutStateModeError */ + LINUX_MIB_XFRMOUTSTATESEQERROR, /* XfrmOutStateSeqError */ LINUX_MIB_XFRMOUTSTATEEXPIRED, /* XfrmOutStateExpired */ LINUX_MIB_XFRMOUTPOLBLOCK, /* XfrmOutPolBlock */ LINUX_MIB_XFRMOUTPOLDEAD, /* XfrmOutPolDead */ -- cgit v1.2.2 From 0027ba843450a5e28dd7fed580ad1e1546b7696b Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Thu, 31 Jan 2008 17:17:31 -0800 Subject: [IPV4]: Make struct ipv4_devconf static. struct ipv4_devconf can now become static. Signed-off-by: Adrian Bunk Acked-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/linux/inetdevice.h | 2 -- 1 file changed, 2 deletions(-) (limited to 'include') diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h index 8d9eaaebded7..fc4e3db649e8 100644 --- a/include/linux/inetdevice.h +++ b/include/linux/inetdevice.h @@ -17,8 +17,6 @@ struct ipv4_devconf DECLARE_BITMAP(state, __NET_IPV4_CONF_MAX - 1); }; -extern struct ipv4_devconf ipv4_devconf; - struct in_device { struct net_device *dev; -- cgit v1.2.2 From 5239008b0de2507a531440b8c3019fb9c116fb1a Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 18:36:18 -0800 Subject: [NET_SCHED]: Constify struct tcf_ext_map Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/pkt_cls.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h index 8716eb757d51..d349c66ef828 100644 --- a/include/net/pkt_cls.h +++ b/include/net/pkt_cls.h @@ -131,14 +131,14 @@ tcf_exts_exec(struct sk_buff *skb, struct tcf_exts *exts, extern int tcf_exts_validate(struct tcf_proto *tp, struct nlattr **tb, struct nlattr *rate_tlv, struct tcf_exts *exts, - struct tcf_ext_map *map); + const struct tcf_ext_map *map); extern void tcf_exts_destroy(struct tcf_proto *tp, struct tcf_exts *exts); extern void tcf_exts_change(struct tcf_proto *tp, struct tcf_exts *dst, struct tcf_exts *src); extern int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts, - struct tcf_ext_map *map); + const struct tcf_ext_map *map); extern int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts, - struct tcf_ext_map *map); + const struct tcf_ext_map *map); /** * struct tcf_pkt_info - packet information -- cgit v1.2.2 From 94de78d19580143c407ff2492edf2410d0e7d48c Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 18:37:16 -0800 Subject: [NET_SCHED]: sch_sfq: make internal queues visible as classes Add support for dumping statistics and make internal queues visible as classes. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/pkt_sched.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/linux/pkt_sched.h b/include/linux/pkt_sched.h index 32761352e858..dbb7ac37960d 100644 --- a/include/linux/pkt_sched.h +++ b/include/linux/pkt_sched.h @@ -150,6 +150,11 @@ struct tc_sfq_qopt unsigned flows; /* Maximal number of flows */ }; +struct tc_sfq_xstats +{ + __s32 allot; +}; + /* * NOTE: limit, divisor and flows are hardwired to code at the moment. * -- cgit v1.2.2 From e5dfb815181fcb186d6080ac3a091eadff2d98fe Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 31 Jan 2008 18:37:42 -0800 Subject: [NET_SCHED]: Add flow classifier Add new "flow" classifier, which is meant to extend the SFQ hashing capabilities without hard-coding new hash functions and also allows deterministic mappings of keys to classes, replacing some out of tree iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps IPs to marks, with fw filters to classes), ... Some examples: - Classic SFQ hash: tc filter add ... flow hash \ keys src,dst,proto,proto-src,proto-dst divisor 1024 - Classic SFQ hash, but using information from conntrack to work properly in combination with NAT: tc filter add ... flow hash \ keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024 - Map destination IPs of 192.168.0.0/24 to classids 1-257: tc filter add ... flow map \ key dst addend -192.168.0.0 divisor 256 - alternatively: tc filter add ... flow map \ key dst and 0xff - similar, but reverse ordered: tc filter add ... flow map \ key dst and 0xff xor 0xff Perturbation is currently not supported because we can't reliable kill the timer on destruction. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/pkt_cls.h | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) (limited to 'include') diff --git a/include/linux/pkt_cls.h b/include/linux/pkt_cls.h index 30b8571e6b34..1c1dba9ea5fb 100644 --- a/include/linux/pkt_cls.h +++ b/include/linux/pkt_cls.h @@ -328,6 +328,56 @@ enum #define TCA_TCINDEX_MAX (__TCA_TCINDEX_MAX - 1) +/* Flow filter */ + +enum +{ + FLOW_KEY_SRC, + FLOW_KEY_DST, + FLOW_KEY_PROTO, + FLOW_KEY_PROTO_SRC, + FLOW_KEY_PROTO_DST, + FLOW_KEY_IIF, + FLOW_KEY_PRIORITY, + FLOW_KEY_MARK, + FLOW_KEY_NFCT, + FLOW_KEY_NFCT_SRC, + FLOW_KEY_NFCT_DST, + FLOW_KEY_NFCT_PROTO_SRC, + FLOW_KEY_NFCT_PROTO_DST, + FLOW_KEY_RTCLASSID, + FLOW_KEY_SKUID, + FLOW_KEY_SKGID, + __FLOW_KEY_MAX, +}; + +#define FLOW_KEY_MAX (__FLOW_KEY_MAX - 1) + +enum +{ + FLOW_MODE_MAP, + FLOW_MODE_HASH, +}; + +enum +{ + TCA_FLOW_UNSPEC, + TCA_FLOW_KEYS, + TCA_FLOW_MODE, + TCA_FLOW_BASECLASS, + TCA_FLOW_RSHIFT, + TCA_FLOW_ADDEND, + TCA_FLOW_MASK, + TCA_FLOW_XOR, + TCA_FLOW_DIVISOR, + TCA_FLOW_ACT, + TCA_FLOW_POLICE, + TCA_FLOW_EMATCHES, + __TCA_FLOW_MAX +}; + +#define TCA_FLOW_MAX (__TCA_FLOW_MAX - 1) + /* Basic filter */ enum -- cgit v1.2.2 From 85326fa54b5516d8859617cc5fdfce8ae19c1480 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 31 Jan 2008 18:48:47 -0800 Subject: [IPV4]: fib_sync_down rework. fib_sync_down can be called with an address and with a device. In reality it is called either with address OR with a device. The codepath inside is completely different, so lets separate it into two calls for these two cases. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/ip_fib.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 9daa60b544ba..1b2f008db978 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -218,7 +218,8 @@ extern void fib_select_default(struct net *net, const struct flowi *flp, /* Exported by fib_semantics.c */ extern int ip_fib_check_default(__be32 gw, struct net_device *dev); -extern int fib_sync_down(__be32 local, struct net_device *dev, int force); +extern int fib_sync_down_dev(struct net_device *dev, int force); +extern int fib_sync_down_addr(__be32 local); extern int fib_sync_up(struct net_device *dev); extern __be32 __fib_res_prefsrc(struct fib_result *res); extern void fib_select_multipath(const struct flowi *flp, struct fib_result *res); -- cgit v1.2.2 From 7462bd744e8882f9ebb9220d46fd4fec8b35b082 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 31 Jan 2008 18:49:32 -0800 Subject: [NETNS]: Add a namespace mark to fib_info. This is required to make fib_info lookups namespace aware. In the other case initial namespace devices are marked as dead in the local routing table during other namespace stop. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/ip_fib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 1b2f008db978..cb0df37950b7 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -69,6 +69,7 @@ struct fib_nh { struct fib_info { struct hlist_node fib_hash; struct hlist_node fib_lhash; + struct net *fib_net; int fib_treeref; atomic_t fib_clntref; int fib_dead; -- cgit v1.2.2 From 4814bdbd590e835ecec2d5e505165ec1c19796b2 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 31 Jan 2008 18:50:07 -0800 Subject: [NETNS]: Lookup in FIB semantic hashes taking into account the namespace. The namespace is not available in the fib_sync_down_addr, add it as a parameter. Looking up a device by the pointer to it is OK. Looking up using a result from fib_trie/fib_hash table lookup is also safe. No need to fix that at all. So, just fix lookup by address and insertion to the hash table path. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/ip_fib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index cb0df37950b7..90d1175f63de 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -220,7 +220,7 @@ extern void fib_select_default(struct net *net, const struct flowi *flp, /* Exported by fib_semantics.c */ extern int ip_fib_check_default(__be32 gw, struct net_device *dev); extern int fib_sync_down_dev(struct net_device *dev, int force); -extern int fib_sync_down_addr(__be32 local); +extern int fib_sync_down_addr(struct net *net, __be32 local); extern int fib_sync_up(struct net_device *dev); extern __be32 __fib_res_prefsrc(struct fib_result *res); extern void fib_select_multipath(const struct flowi *flp, struct fib_result *res); -- cgit v1.2.2